90 Percent of Retailers Fail PCI, but PCI Failed Them, Too

Only 11 percent of retailers comply with PCI, but even they aren’t sure to be secure

Target executives have consistently said the company’s security was solid and its compliance with PCI data-protection standards up to snuff before and after the data breach in which it lost 40 million debit- and credit-card numbers and 70 million other customer records.

According to a Verizon Enterprise Solutions analysis of the whole industry, however 90 percent of companies fail to meet the security requirements in the Payment Card Industry (PCI) Data Security Standard (DSS), to which any company accepting digital payment cards must comply.

The problem doesn’t appear to be the retailers, however, according to Verizon. The problem is the PCI DSS standard, version 3.0 of which came out a year ago and went into effect at about the same time Target was breached. The report, which Verizon won’t publish until Feb. 11 but released to The Wall Street Journal Feb. 6, is based on analysis of five years’ worth of PCI assessments, focusing specifically on how PCI members were (or were not) able to meet PCI standards and stay compliant with them over time.

Most of the requirements are basic: secure passwords, secure networks, limits on access to sensitive systems, regular monitoring and testing of sensitive networks, and frequent checks through self-assessment and external validation of PCI-certified systems.

The specifications are long and often complex, but are also never-ending. About 80 percent of organizations were able to remain compliant with about 80 percent of the rules during 2013, but most either weren’t able to cross off the other 20 percent of compliance steps, or weren’t able to keep up with the maintenance chores required to stay compliant.

Full PCI compliance not only doesn’t guarantee security, but the effort required to chase PCI compliance takes away from the budget and energy available for other security efforts as well, according to a Jan. 20 blog from Gartner Analyst Aviva Litan, who has excoriated both Target and the PCI rules as top-heavy and ineffective.

The BlackPOS malware installed on Target systems scraped data from POS memory, then double-encrypted it before sending it out via another server, making it impossible for Target’s intrusion detection systems to pick it up, Litan wrote: “None of the conventional anti-malware applications on the market today look for this sort of program.” Though it’s still not clear how the malware got into Target’s systems, it appears to have come in through supplier or vendor connections.

“Nothing I know of in the PCI standard could have caught this stuff. So I think it’s flat out wrong to blame this all on Target or on any of the other breached entities,” she added.

Real blame for the weaknesses of PCI falls not on Target, but on Visa, Mastercard and the banks that vigorously resist upgrades to encrypted chip-and-PIN card systems or other, more agile ways to keep up with attacks. Even if 100 percent of companies enrolled in PCI were able to reach and maintain compliance, the cost and effort would be no guarantee that they wouldn’t get hit the same way Target did, or be sued just like Target, by banks looking for $1 billion in compensation for Target’s security failure.

The mistake is in putting all the onus on retailers and little on the banks, clearinghouses or other entities involved, all of whom are less-available targets than the retailers on the front lines.

Visa and Mastercard used to give retailers “safe harbor” protection from lawsuits if they were breached but it turned out they were compliant with PCI rules, Litan wrote. That protection disappeared right after the first big breaches of retail companies during the mid-2000s.

Now the assumption is that, even if the retailer passed a PCI assessment, it must have been holding something back or fooling the assessor somehow, because they couldn’t have been breached if they were up to PCI’s specs. That is not only self-evidently untrue, Litan wrote, but it leaves retailers in the position of being vulnerable to abuse from both hackers and auditors, without any guarantee that pleasing one will help stave off the other.

“Merchants,” she wrote, “are still basically toast.”

 

Image:Shutterstock.com/Johan Swanepoel