Retailer Breaches: A PCI Failure?Experts Debate Merits of Payment Card Security Standard
In light of recent payment card breaches at Target Corp. and Neiman Marcus, security experts are asking why mandates for compliance with the Payment Card Industry Data Security Standard are apparently failing to protect cardholder data.
Avivah Litan, a financial fraud expert with Gartner, calls PCI "a failure," saying merchants and payments processors have invested heavily in PCI compliance, but still have been breached.
Others say more industry collaboration - among retailers, banking institutions, the card brands and processors - should be more of a focus, long-term, rather than just attaining PCI compliance.
And while the PCI Security Standards Council declined to provide comment for this story, PCI experts, such as Gartner analyst Anton Chuvakin, say the PCI Council's role is not to enforce merchants' security.
"Retailers' security does not end with PCI-DSS; it begins with it," Chuvakin says. "The retailer security team may well have planned for the risk of POS malware, with no regard to PCI-DSS. After all, it is their business and they need to protect it - not the council, not the card brands, not others."
PCI 'Hasn't Kept Up'
The efficacy of PCI compliance has been called into question numerous times over the last 12 to 18 months. Since news broke about the Target breach, which exposed details on some 40 million credit and debit in addition to personal information about 70 million customers, and the Neiman Marcus attack, more questions about PCI and the general state of card security in the U.S. have surfaced.
Gartner's Litan ignited the latest PCI discussion with a Jan. 20 blog.
"The PCI security standard has largely been a failure when you consider its initial purpose and history," Litan writes. "Target and other breached entities before it, such as Heartland Payment Systems, were all PCI compliant at the time of their breach."
She argues that the payment card industry - U.S. banking institutions and the major card brands, Visa, MasterCard, American Express and Discover - failed to address fundamental security issues after the first major card breach at Card Systems International in 2005.
"At the least, they should have upgraded the payment systems infrastructure to support end (retailer) to end (issuer) encryption for card data, much like PINs are managed today," she writes. "They should have also started migrating to stronger cardholder authentication (ala EMV chip cards) so that the magnetic stripe on the back of our cards can finally be eliminated."
Cards that conform to the Europay, MasterCard, Visa Standard, known as EMV, store data and interact with point-of-sale devices via a micro-processing chip, which cannot be skimmed like legacy mag-stripe cards.
Rather than taking the steps Litan outlines, the industry adopted PCI, putting the financial burden on merchants and processors to maintain compliance, the analyst says. Since then, the industry has seen a progression of high-profile breaches, including TJX, Heartland Payment Systems and now Target and Neiman Marcus.
"The [PCI] standard hasn't kept up with the latest attack vectors, and retailers can't be expected to know more than the security vendors do about detecting new forms of malware that evade conventional measures prescribed by PCI," Litan writes.
Gaps Are Common
Mike Versace, global research director specializing in risk and IT infrastructure at IDC Financial Insights, says gaps in PCI compliance at the point-of-sale level are common at many merchants.
"I don't know anything about Target's security - if it's good or bad," Versace says. "But if malware was part of the PIN-mag-stripe process, and if those PIN pads had Triple DES or AES [Advanced Encryption Standard] encryption, would we have lost PIN data or as much PIN data? No. If that data is encrypted at point of entry, PINs would not be exposed as badly as they were here."
Encrypting data at the point of entry, in this case, the point of sale, is mandated by PCI, as part of the Payment Application Data Security Standard and requirements for POS PIN entry device certification.
Versace also stresses the need for beefed-up PCI enforcement and consistent risk assessments.
"We need to look at the technical standards that are needed to protect PIN pads and PIN data," he adds.
But Rodolphe Simonetti, managing principal of Verizon's Enterprise Solution PCI Compliance practice, says retailers shouldn't get too hung up on assessments that focus solely on PCI compliance.
"The assessment is just a very small part of PCI compliance, and too many companies still focus on the assessment itself while ongoing compliance maintenance is the real deal," he says.
Chris Strand, a PCI-DSS expert at security firm Bit9, which in 2013 suffered its own malware attack and subsequent breach, says PCI compliance is difficult to maintain.
"If you're not assessing risks and monitoring compliance in real time, you will basically find yourself with an incident," he says.
The need for real-time compliance is acknowledged by the PCI Council in its most recent PCI-DSS update, Version 3.0, which took effect Jan. 1, Strand says.
The PCI Council's "business-as-usual" approach, outlined in 3.0, requires ongoing security checks across all entities involved in a transaction, not just the retailer or payments processor.
"Payment security is an everyday business practice," Bob Russo, general manager of the PCI Council, told BankInfoSecurity in a Nov. 7 interview.
In September, Troy Leach, the PCI Council's chief technology officer, outlined PCI's stance on POS hardware and software.
During an interview with BankInfoSecurity, Leach said that security breaches resulting from the use of default passwords had reached a tipping point.
In August, POS software vulnerabilities were at the core in a wave of malware attacks that targeted a handful of small merchants in Kentucky and Southern Indiana (see Recent Retail Breaches Connected).
Marjorie Meadors, assistant vice president and head of card fraud prevention for Louisville-based Republic Bank & Trust, one of the card issuers affected, told BankInfoSecurity that remote-access used by those breached merchants was to blame.
Strand of Bit9 says the PCI Council will likely issue a formal addendum or supplement to PCI-DSS 3.0 in light of the high-profile Target and Neiman Marcus incidents.
"In the encryption key management specification, I believe we will see more," Strand says. "They're likely to redefine end-to-end protection. And with all of the pieces in the puzzle with payment card transactions, they could go a lot farther with the recommendations."
Industry Collaboration Needed
In the meantime, Dan Clements, CEO of cyber-intelligence firm IntelCrawler, which has been tracking the retail malware, BlackPOS, believed to be linked to the Target attack and others, says banking institutions and the card brands should require merchants and acquiring banks to have mandatory briefings about emerging intelligence threats. "It could be done with a combination of security companies and law enforcement," he says.
Had these types of briefings been in effect last year, the Target POS attack would not have been a surprise, Clements says.
IDC's Versace and Bit9's Strand also stress the need for collaboration.
"This is not just a retail industry issue," Versace says. "And I think it needs to stay in the private sector. Maybe it comes from the Financial Services Roundtable; or maybe the National Retail Federation. Whoever it is, it can't be driven by government or standards bodies."
The private sector needs to focus more attention on how systems are audited and software is deemed secure, Strand says, because so many players are involved in payments. "It's not uncommon to have three or four different companies involved in a POS transaction," he explains.
And Verizon's Simonetti says it seems banking institutions are already taking the lead by spearheading efforts to provide more encryption services to merchants and businesses. "Several banking institutions I work with are already thinking about both mitigating the risk while expanding their business," he says. "Offering point-to-point encryption solutions to their customers would kill two birds with one stone, since those solutions significantly reduce risk and compliance efforts for merchants."