Digital Transactions Authoritative, insightful and timely information for payments professionals
Compliance has become the goal of PCI, rather than data protection and fraud reduction. It's high time that changed, says Mimi Hart.
Occupy PCI.
ItÕs time the 99% are heard. The Payment Card Industry data-security standard (PCI) is pernicious, collusive, and inane. ItÕs also ineffective for fraud reduction.
Imagine youÕre a merchant who just spent millions of dollars securing your point-of-sale systems with the latest endpoint cardholder data protection. You followed every PCI-DSS requirement, as well as the guidelines for point-to-point encryption and the best practices for tokenization. Every day, you answer the 15 questions on the Merchant Evaluation Checklist for Skimming PreventionÑfor every terminal you own.
Then imagine receiving a call one day that your store has been found to be the common point of compromise for thousands of skimmed cards. Whoa, you say, what did we do wrong?
Flawed Logic
The bad news is that, since the breach was at your location, by PCIÕs definition you are now non-compliant. You fear reputational and financial harm, additional fines from the card brands, and the public act of contrition youÕll probably have to make.
So what happened? In this case, it turns out a clever con man set up a small stand in your parking lot every day during lunch hour. The stand had a simple message, ÒCLEAN YOUR CARD HEREÑITÕS FREE.Ó And it turns out, over several weeks he provided this free service to thousands of unsuspecting consumers, who happily ÒcleanedÓ their debit and credit cards only to discover days later that their bank accounts had been emptied and their lines of credit decimated. Could you have prevented this breach? Who actually exposed the data you spent millions trying to safeguard?
The PCI Security Standards Council, which manages the standard, is now promulgating new rules for devices that read cards. Dubbed SRED for Secure Reading and Exchange of Data, the rules say card readers will need to undergo testing, certification, and listing on the Council Web site, at considerable time-to-market and financial expense to vendors and a handsome profit to the Council (which we will simply call ÒPCIÓ).
You may think this is a good idea, but the logic is flawed.
The strongest encryption, including SRED, cannot protect data that have already been written on the blackboard. The serial number on a $20 bill cannot be protected with encryption. ItÕs visible.
Similarly, the cardholder data encoded on a magnetic stripe are in the clear. They consist of strings of zeros and ones: a machine-readable magnetic barcode. Twenty characters are printed or embossed on the front of the card. The other 16 characters can be viewed just as easily. They cannot be considered sensitive or secret.
Think of it this way: Suppose the data on the magnetic stripe were written in Braille rather than binary code. Just because you canÕt read Braille doesnÕt mean the data are secret. Braille is easily interpreted.
The data are unprotected on the stripe from the time they are first issued and must be delivered in clear text to the brands for authorization. But in the middle, itÕs your responsibility as the merchant to shroud them. And now PCI will dictate exactly how!
Deny, Deflect, Distract
Imagine the irony: Heavily armored readers mandated for merchants to protect dataÑwhile an enterprising crook can use an ordinary reader (easy to find, and cheap), set it out on a stand in a well-traveled parking lot, add a tempting free service, and harvest thousands of usable card records.
The protection of cardholder data requires an authentication strategy, which PCI has routinely dismissed. PCI is not concerned with fraud reduction or genuine cardholder data protection. Compliance is the name of the game. ThatÕs how youÕre measured.
PCI is a private rules company with a very pious persona. The PCI DSS is not a standard, itÕs a strategy. It is an agent of the brands, who are its owners, and it exists solely to serve their needs. Make no mistake, its stated mission is to protect cardholder data, but its true purpose is to deny, deflect and distract. It is the ultimate preserver of the status quo (weak merchants, strong brands) and a serious threat to innovation.
Two years ago, PCI presented a report prepared by Price Waterhouse Coopers. It touted encryption and tokenization to aid compliance and reduce scope. That same report said certain dynamic-authentication technologies had the potential to reduce fraud and even Òeliminate the need for PCI.Ó But would PCI support technologies that could render it useless? The evidence says no.
Occupy PCI
Cardholder data can be protected, but not by the current onerous, ineffective, illogical PCI rules. The simple ÒCLEAN YOUR CARD HEREÓ story should be instructive. Encrypting readers and tokenization enable compliance, but do not and cannot prevent the disclosure of cardholder data.
On the other hand, an authentication strategy based on dynamic data would protect cardholder data, remove the incentive to steal the data, and actually curb fraud. DonÕt be duped or distracted by reams of compliance instructions. The security they offer is an illusion. Insist on authentication.
How can we change the status quo? DonÕt comply: Deny. Deny PCI the dues that keep it in existence. Deny PCI the fees it charges for Web-site listings. Deny PCI its hypocritical dogma and lopsided rule-making. Deny PCI its moralizing and patronizing forums. Deny PCI its expansionism. Deny PCI its voluminous compliance manuals.
Also, ask the PCI Council to do some deep soul searching and amend its mission. Compliance is not a worthy goal. Fraud reductionÑto the point PCI is no longer necessaryÑshould be its objective.
Make your voice heard! Occupy PCI! No tents necessary.
Annmarie D. (Mimi) Hart is chief executive of MagTek Inc., Seal Beach, Calif. Reach her at Mimi.Hart@MagTek.com. This article is adapted from a speech given in September at the Federal Reserve Bank of Chicago.
