Assessing a Decade of PCI

Controversial from the start, the PCI Council faces a vastly changed security landscape from the one it confronted when it was born 10 years ago.

Mobile payments, tokenization, and the growth of tech startups are new elements on the payments scene, but data breaches still abound, much as they did in September 2006 when the PCI Security Standards Council was born.

The Council began life as a creation of the four major U.S.-based card networks—Visa Inc., MasterCard Inc., American Express Co., and Discover Financial Services—as well as Japan’s JCB in an effort to harmonize the networks’ various security rules. Its first action was to issue Version 1.1 of the Payment Card Industry data-security standard. Version 1.0 actually predated the Council’s birth.

Compliance with the data-security rules—the latest is Version 3.2—is obligatory for merchants, processors, and vendors that handle general-purpose card data. Almost immediately, merchants began complaining about the hassles and costs of compliance. That hasn’t stopped.

A Pat on the Back

Nonetheless, the PCI Council gave itself a pat on the back on its 10th birthday, but just quickly enough to keep attention on its never-ending mission of keeping hackers away from payment data.

“We are proud of the advances in payment security that we’ve made together as an industry,” General Manager Stephen Orfei said in Las Vegas before more than 1,400 attendees at the Council’s annual North America community meeting in September.

“We are also aware of the very real threat of cybercrime to global commerce, and see the need now, more than ever, for us to join forces in an effort to devalue data and make it useless to criminals,” Orfei continued. “Global collaboration in this effort is vital.”

Digital Transactions asked Troy Leach, chief technology officer at the Wakefield, Mass.-based PCI Council, if he thinks his organization has been successful.

“I absolutely do, and sometimes that’s hard to see,” he says.

“The success is that there are organizations encrypting their card data, that didn’t exist 10 years ago,” Leach says. “There are organizations segmenting their card data [away from non-payment data], that didn’t exist 10 years ago.” He adds that simply “raising awareness” about the importance of protecting card data is one of the Council’s biggest successes.

Catch 22 Scenario

Besides the main PCI-DSS, the Council also oversees and updates nine related standards governing, among other things, payment card software, PIN-accepting and point-of-interaction devices, and point-to-point encryption of card data.

While the Council makes the rules, enforcement is up to the card networks, merchant acquirers, and a host of vendors hired by acquirers and processors to inspect card operations, leading to questions about the fairness of the PCI system.

Some breached organizations, including merchant acquirer Heartland Payment Systems Inc. (now part of Global Payments Inc.), said they had passed PCI inspections shortly before fraudsters broke into their systems. In a Catch 22-like scenario, the companies then would be declared non-compliant and subject to network fines.

Despite the prominence PCI has gained in card payments, hundreds of data breaches still occur every year. Target Corp.’s breach in late 2013 compromised 40 million cards and The Home Depot Inc. compromise ensnared more than 50 million. Both came along years after the PCI rules took effect.

“Data breaches will continue to be there because we’ve grown the ability to have remote distributed access [to card data],” Leach says. He goes on to note that the coming of mobile devices and the iterations of mobile payments, including in-app payments, have their good and bad sides.

“All these new opportunities present new opportunities for criminals,” he says.

There hasn’t been a huge breach like Target’s for some time, but recently a number of hotel chains have reported compromises of point-of-sale systems in their restaurants, bars, and other non-reservation venues. Oracle Corp. this summer disclosed that it had found malware on some of its older Micros POS systems, which are widely used in the hospitality industry.

As it continues to grapple with protecting traditional card payments, the PCI Council is keeping an eye on emerging systems such as mobile payments. The Council is expected to issue an update soon to its card-production standard that will address the over-the-air provisioning of cardholder data to mobile devices, according to Leach.

“It would be the current card-equivalent credentials uploaded to the [mobile phone’s] secure element or the HCE [host card emulator] in the cloud,” he says.

The Council also is working with chip card standards body EMVCo to update 3-D Secure, an online authentication technology originally developed by Visa and also used by other networks to protect e-commerce transactions (“Securing the Future of 3-D Secure,” July).

While it can be effective, 3-D Secure hasn’t been popular with merchants or card issuers. Especially in its earlier renditions, the extra steps 3-D Secure required cardholders to take led to abandoned transactions, the bane of e-commerce merchants.

‘Compliant on Paper’

Avivah Litan, a vice president and security technology analyst at Stamford, Conn.-based Gartner Inc. who has followed PCI since its early days, says “the PCI Council has been very successful in some ways and very unsuccessful in others.”

“Successful—in creating a relatively thorough standard with lots of inputs from security experts around the world,” she says by email. “They also raised security awareness and helped move the market towards more secure payment systems.

“Unsuccessful—in thinking about and coming up with a standard that can be practically enforced so that companies are more secure, not just compliant on paper. So while thorough, the standard has done nothing to stop many destructive breaches against the payments industry.”

Another long-time PCI observer, Al Pascual, senior vice president and head of fraud and security at Pleasanton, Calif.-based Javelin Strategy & Research, says, “lack of an effective mechanism to ensure compliance” has hamstrung the PCI Council’s effectiveness.

Pascual, in an email, disagrees with Litan on the awareness issue, saying the Council’s success has been hurt by “a lack of awareness among many merchants as to threats they face, which in turn contributes to a failure to comply” with the rules. He adds that “updated guidelines are themselves often influenced by major data-loss events or trends, meaning that they have an inherent lag time.”

Still, he says the Council “was created for the right reasons and [has] made the right recommendations when it comes to data security.”

What Did Hackers Learn From Target’s Breach?

Usually, it’s the hacked company that’s asked what it learned from the data breach it suffered. But hackers are learning all the time, usually at a faster rate than their victims.

In an effort to gain some insights from turning that question around, Digital Transactions asked two data-security experts about what they thought fraudsters learned from Target Corp.’s late 2013 data breach. That breach, which compromised 40 million payment cards and another 70 million customer records with personal information, ultimately cost Target $201 million—$291 million offset by $90 million in insurance, according to company financial statements.

Hackers broke into Target’s computer systems using the access privileges of a Target heating-ventilation-air conditioning services supplier in Pennsylvania. Once in, they wormed their way to the systems that held payment card and other customer data, then planted malware to capture and export it.

Since then, fraudsters have gotten better at concealing their activities, says Branden R. Williams, an independent security consultant in Dallas.

“If they’ve learned anything, it’s to bury their methods,” he says.

In addition, some cyber-criminals moved away from compromising suppliers to get at their true victims, simply because of all the attention on that tactic post-Target, according to Williams. “All of a sudden everyone’s going to be aware of vendor supply-chain issues.”

Williams also says failure to comply with card-industry security rules played a role in the breach. The supplier’s account should have required two-factor authentication and been shut off when not in use, he says, but neither of those requirements was met, he says.

Now, with the coming of the Internet of Things (IoT), in which Web-connected household devices and even automobiles can do all sorts of nifty things remotely, Williams worries about new opportunities for criminals. In something of a reverse supply-chain hack, fraudsters may gain the ability to tamper with consumers’ devices by gaining unauthorized access to manufacturers’ sites and their IoT connections.

KrebsOnSecurity, a prominent cybersecurity newsletter, reported in mid-October that the European Commission, the administrative arm of the European Union, was considering new rules to fortify the vulnerable IoT.

“It’s a cool world,” Williams says of the IoT. But instead of looking at what the IoT “does for you,” consumers and companies should look at “what it could do. People don’t consider the possibilities.”

Hackers also learned from Target the value of sharing resources.

“It’s undeniable that hackers collaborate and share tools and information in the underweb,” Julie Conroy, research director and security analyst at Boston-based Aite Group LLC, says by email. “The Target breach was one of many manifestations of that trend rather than a tipping point per se. As an example, the type of malware that was used to capture the data was a generic form of memory scraper that was for sale for $2,000 in the underweb at that time.

“The organized-crime rings behind so much of this fraud have specializations and areas of expertise just as regular businesses do,” she adds. “They also have chat boards that facilitate the sharing of information and tactics, and I’ve seen numerous examples of malware kits that have links to online customer service—for an extra fee, of course—to help the hacker that’s purchased it most effectively direct the malware against the targets.”

Thus, the Target breach “was more a product of years of collective intelligence rather than the start,” she says. “The scary thing is, we continue to see the bad guys’ collective intelligence build, which translates to the continued increase in volume and sophistication of attacks the industry is experiencing.”