Ten years after the founding of the Payment Card Industry Security Standards Council (PCI SSC), we present a mid-term report on the industry’s data security efforts. As both cyber attacks and regulatory interest in data privacy and protection increase, we also examine the outlook for data security and PCI DSS.
Asked why he robbed banks, prolific US bank robber Willie Sutton is alleged to have responded, that’s where the money is. In the modern economy, data equals money – writes Joyrene Thomas.
Almost every business holds data about customers, staff or partners, for example customer lists, payroll data and supplier bank details. Payment card data is a very particular case of where data definitely equals money. Criminals sell stolen card data on underground carding forums. They use card data to create fake cards to withdraw money from ATMs, or buy things to sell on for a profit.
Criminals have become adept at digital hold-ups. They rob banks but also payment service providers, retailers and any other businesses that store, process or transmit card data. Around ten years ago, data breaches were rising. Card fraud was increasing. And cardholders and card issuers left out of pocket. The industry decided to act.
THE FIRST TEN YEARS
The first version of the payment card industry data security standards (PCI DSS) was published in December 2004. Two years later, the five global card brands founded the security standards council (PCI SSC), which celebrates its ten-year anniversary in September. So, where is the industry ten years after the founding of the PCI SSC?
“On the whole, we are in a really good place from the PCI SSC’s perspective. We have a fantastically strong community that has been growing and getting better. Nearly everywhere I go, people are aware of the PCI standards, understand what they’ve got to do and why they’ve got to do it,” says Jeremy King, international director, PCI SSC.
Undoubtedly the PCI DSS has helped set a good baseline for card data security. As a standard, it has been regularly updated and widely adopted globally across the industry. It has helped provide the catalyst for investment to secure card data, plus personal data more generally. The PCI DSS has helped to raise awareness of the importance of data security among all types of businesses, albeit by accident rather than by design.
However raising awareness and raising the bar against data breaches are two different things. Criminals have not stood still. If anything, the criminals and the data security industry are in an innovation arms race. Both sides are evolving their methods and devising new ways to steal or protect card data.
“Criminals have become more aware of the opportunities for stealing data across the board. That is probably the biggest challenge we see today. When the PCI SSC was founded ten years ago, the biggest challenge we faced was that merchants and organisations were storing vast amounts of cardholder data,” explains King. Companies are storing less card data, preferring to tokenise or encrypt sensitive data if they store it at all. Criminals have moved to stealing data in transit.
Benjamin Hosack, director at security firm Foregenix, has also noted a change in data breach trends over the last decade. “In the early days of PCI DSS, the data compromises were more manual — they did not use much automation or malware. Over the last 7-10 years, the attacks are getting to be really quite sophisticated with advanced malware in retail, hospitality and e-commerce environments.”
“There is a lot more compromise activity going on than people realise. In Europe, e-commerce businesses are the ones that get hit most. In the US, it is mainly the card- present environment. In the Middle East and Africa, it is a mix of the two,” says Hosack.
GETTING THE BASICS RIGHT/ WRONG?
Worldwide spending on information security will reach $81.6 billion in 2016, an increase of 7.9 percent on 2015, according to the latest Gartner forecast. Yet spending on info-sec tech only seems to be growing in proportion to the volume of incidents across all industries. The retail sector is still experiencing 2.7 times more attacks than finance sector clients, according to a recent NTT Group report. Retail was followed by the hospitality, leisure and entertainment sector, then insurance, government and manufacturing. This comes as no surprise, after all that’s where the data/money is.
It is perhaps surprising that criminals are still exploiting the basics with tried and true methods. This is illustrated by the consolidation of vulnerabilities. The top ten external vulnerabilities accounted for nearly 52 percent of all external vulnerabilities used during 2015. A long-tail of thousands more accounted for the other 48 percent. It is a similar story with regard to the age of exploits. Nearly 21 percent of vulnerabilities detected in client networks were more than three years old. More than 12 percent were over five years old, and over five percent were more than 10 years old, according to the NTT Group.
“I still don’t think we do enough to get the basics right. We still have poor password use, poor authentication process for connecting into networks, and we don’t have excellent network security. When we still don’t get the basics right and focus on ticking the boxes and compliance, rather than security as business-as-usual, then we’re open to attack,” says King.
According to Hosack, many businesses that get compromised are not set up to effectively manage their data security themselves. Or they do not understand the security. Reading into the publicly- available information behind most of the large data compromises in the US, Hosack contends that many of these compromises could have been picked up earlier. If the technology and the teams monitoring the technology had been properly tuned, they could have identified and contained the attacks sooner. Meanwhile at the smaller to medium end of the market, companies may not have the skills on their team to manage their environments properly. They may not have the technology either, as this is mostly aimed at the enterprise market.
The security focus has to be right to be effective. PCI DSS can almost give a false sense of security, if not implemented correctly. Horror stories abound of organisations who chase PCI DSS compliance in isolation and do not secure customer data. This can be as valuable as cardholder data, if not more so. For example, one online retailer secured their cardholder data, but not their customer database. Criminals hacked into the database and e-mailed customers with a special o er, which connected to a fake order page. When customers unwittingly placed orders and inputted their card details, the information went straight to the criminals.
THE BALANCING ACT
For all that the PCI SSC has achieved in the last ten years, the council and the standard are not without their detractors. Leaving the cardholder to one side for now, there is a balance to be struck between the interests of card issuers, card acquirers and merchants. There is also a geographic balance to be struck between the US, the last major market to move to EMV chip, and the rest of the world which is already established with the technology.
With regard to costs and liabilities, there is a feeling that the cost of data security and compliance is not spread across the whole value chain. This is still a flashpoint between the merchant community and the issuer-centric card schemes. Merchants feel disproportionately burdened with the costs for securing card data, with few of the benefits in terms of a liability shift or interchange saving.
One of the most vocal detractors of the PCI SSC is the National Retail Federation (NRF), a retail trade association. In May the association asked the US Federal Trade Commission (FTC) to conduct an investigation into the PCI SSC, citing antitrust concerns.
“We urge the FTC not to rely on PCI DSS for any purpose, particularly not as an example of industry best practices nor as a benchmark in determining what may constitute responsible data security standards in the payment system or any other sector,” said NRF general counsel, Mallory Duncan, in a letter to the FTC chairwoman.
“The PCI SSC is a proprietary organisation formed and controlled by a single industry sector — the major credit card networks” and “fails to meet any of the principles adopted by the federal government for voluntary standard-setting organisations,” continued Duncan.
The NRF’s request comes at a time when the FTC is already investigating how assessors measure compliance with the PCI DSS. In what may prove to be a portent for operators in the rest of the world, the FTC issued orders to nine PCI DSS-accredited assessment firms in March, requesting information and a limited set of example PCI DSS assessments.
The request follows a long-running legal battle between the FTC and the hotel chain Wyndham Hotels and Resorts over a series of data breaches in 2008 and 2009. In what was regarded as a test case, the FTC was granted the power to charge Wyndham with “unfair and deceptive practices” in failing to protect consumer payment card data.
The wider implications of this judgement mean that US companies that fail to adequately protect card data could be subject to both contractural penalties from card schemes and acquirers, and FTC regulatory sanctions. Whether the regulatory interest shown in data security in the US holds up in court and goes on to set a precedent for other national regulators remains to be seen.
The future seems to be happening much faster, which necessitates a new agility. “When you look back ten years, payments wasn’t evolving very quickly. Now it seems that every week a new payment technology is coming along,” says King. The technologies likely to gain traction are mobile contactless payment (the ‘Pays’), where cardholder authentication is not necessarily PIN. King also cites embedded, frictionless payments, where payment happens in the back-end à la Uber.
The evolution towards mobile and cloud will have a bearing on how the PCI DSS standard develops. The PCI SSC will continue to consider ways of securing the transaction, where the data is at risk and what the criminal can gain, according to King. As the face-to-face environment becomes more secure with the roll-out of EMV chip and point-to-point encryption technologies, this changes the risk profile. PCI DSS could well move towards a more channel-based approach. One that simplifies the standard for the card- present environment, and evolves it for the e-commerce environment.
Opportunities and threats exist in the same PCI DSS future. There are opportunities to bake security into solutions, spread the cost of compliance across the value chain, and develop a more consistent compliance approach between card schemes. The stakes are high. As a worse case scenario, data security could be the death of cards. If the costs of security and compliance stifle innovation, cards could become less attractive than alternative payment methods.
One certainty about the future of data security generally is that it has a future. It is integral to every business, because data breaches not only threaten an organisation’s reputation and bottom line but their very existence. As a result the profile of data security generally, not just in relation to PCI DSS, has become a board-level concern within most organisations over the last 12-18 months. Tone from the top is important in setting the security agenda. However, good security also involves everyone in an organisation, not just the IT or risk department. If the data security stakes were not already high enough, they are set to become even higher.
In addition to regulatory interest in PCI stateside, the European regulators have also been busy. Three new pieces of legislation will become national law within the next 18 months to two-and-a-half years: the revised Directive on Payment Services (PSD2), the European Banking Authority regulatory technical standard on secure and common communications, and the EU General Data Protection Regulation (EU GDPR). Businesses trading in or with Europe will become more accountable as the custodians of personal data. They face mandatory breach notification for the loss of personal data, an increased fine schedule of up to €20 million or four percent of global turnover, and the appointment of a data protection officer.
PCI DSS may become the least of any company’s worries. The provisions contained in the EU GDPR are even more significant. Those who already comply or are working towards compliance with card data security standards may have a head-start with regard to these. However, two years is not a long time to overhaul IT systems, internal processes and procedures, and company culture with regard to data. Act now. The data clock is ticking.