I happened upon the Council’s news page today and saw a couple of great attention grabbing headlines entitled, Time for Smartcards and PCI Council Responds to Critics. I found both of these interesting given the landscape of breaches we have seen over the last couple of months, but I found that both missed key points in their communication. Let’s start with the Council’s response.
First, we should be clear. What Russo is saying is absolutely accurate. The majority of breaches that happen, including the Target one, happen due to basic security failures that are already covered in the standard. Go take a look at requirement 8.3 and 8.5.6.b which directly address the latest disclosures surrounding the event. I also agree that there is a key need for more collaboration in the industry, but collaboration and investigation tend to sit at odds. The bad guys can infiltrate areas where we collaborate which tips them off to what we know about their actions, which makes it harder for law enforcement to catch and punish them.
Where things fall short is the speed with which the standard changes and specifically how retailers implement them. 3.0 does cover SOME of what Russo refers to around malware, but it does not really cover some of the more advanced malware techniques that we see. The wording of the requirement is such that it depends more on A/V and signatures than actual anti-malware controls. To make matters worse, most companies won’t start validating against 3.0 until after December 31, 2014 when 2.0 is officially retired. Since the bad guys know what the standard covers, they can iterate faster.
Granted, the Council is in a hard spot. Should they iterate the standard to boost the controls, they will effectively move markets in a way that Congress frowns upon. Not only that, but the community will cry foul as the next level of control required to prevent something like this adds significant CapEx and OpEx to their P&Ls.
Secondly, while I do agree with Avivah Litan on the questionable efficacy of PCI DSS in the light of these breaches, what she doesn’t say is that retailers (for the most part) DON’T want to deal with PCI DSS. These retailers do the absolute minimum to comply and then point the finger elsewhere when they are breached. It’s sad, really. Information security is hard, but the basic blocking and tackling in PCI DSS is just table-stakes nowadays. Many retailers just don’t take it seriously, therefore, while PCI DSS may be a decent standard, it’s poorly implemented in the field which neuters its ability to protect the ecosystem.
Now, let’s examine the Target piece. Yes, they are correct that EMV technology does boost the security of Card-Present transactions, but it does nothing for Card-Not-Present fraud. In fact, even a cursory internet search will show how Card-Present fraud declined dramatically in Europe while Card-Not-Present fraud increased after they migrated to EMV. And the biggest part that Target is missing, EMV can be configured in the same insecure ways as transitional magstripe transactions; thus, EMV alone would not have prevented this from happening.
In Target’s letter, one of the funnier things is the discussion around PINs. As it stands today, EMV is not implemented with a PIN component unless you are running a debit transaction. It’s Chip & Sign, as I have discussed before. Perhaps the folks doing the implementation should have copy-edited a bit to help him form a more credible argument. In their defense, Target was one of the first retailers I noticed to put EMV-capable terminals on their cash lanes. I remember seeing them years ago. That said, I just got my first EMV card last year and have not tried to present it for payment in that slot. Who knows if it even works.
So what we see is the PR machines in high gear following the incidents and maybe some good will come out of this. But until retailers (and the industry) ditches the compliance mindset in favor of a security- or defense-minded posture, we’re going to keep seeing these breaches and the PR campaigns that follow.