Friday, April 3, 2009

House Rips PCI Standard, Gets Kicked Out of Bed By Credit Card Industry

In another practical demonstration of how politics makes for strange bedfellows, the US House of Representatives threw a hissy fit this week concerning the ineffectiveness of the PCI Standard when it comes to actually protecting against real threats.

As background, the Payment Card Industry Data Security Standard (PCI DSS) was an elaborate framework designed by the credit card industry and foisted upon retailers and anyone else involved in credit card transactions to ostensibly protect against the various security threats that exist.

It's long been thought by many outside of the credit card industry that PCI was more about credit card companies looking to shift the burden (and expense) of credit card fraud and abuse to retailers, processors, and other groups, as instances of fraud have exploded due to technological advances exploited by fraudsters and the breakdown of geographic barriers that has allowed criminals from Eastern Europe, Russia, and China to become major players in both fraudulent transactions and money laundering via the sale of goods stolen via this process.

Turns out that little events like massive data breaches at Heartland and other processors has served to substantiate earlier claims that PCI was more for show than for actual protection, as a number of companies involved in breaches were either certified as PCI-compliant, or had robust PCI programs in place.

As with most disagreements, the truth probably lays somewhere in the middle. PCI isn't necessarily worthless, but it does have its limitations. Primarily, it's a static set of guidelines and requirements, and it's unreasonable to expect something static to address such a dynamic threat environment.

Similarly, there are challenges to applying the PCI framework across the spectrum of businesses that have skin in the game. Depending on the business type, transaction volumes, location, and other factors, certain threats are more high risk than others, and attempting to paint all entities with the same risk mitigation brush is foolish.

The House should probably look in the mirror a bit before they begin pontificating about PCI. It's pretty easy to connect the dots between lobbyists and campaign contributions from the credit card industry and the apparant ease that same group had in having their PCI recommendations breeze though the very same legislative body.

Congress has a conveniently short memory when it comes time to be publicly outraged about some issue or another, as we've seen with the financial crisis, AIG, TARP, and so on. Sadly, in almost every case, they are complicit in the problem at the very least, and often a major contributer to the root cause.

So what's the answer?

It comes down to a simple math equation. When it costs more in penalties resultant from a breach than it does to prevent one, businesses will step up their game. If I can spend $1 million to protect customer information, and only pay $10,000 in breach response costs and penalties, it doesn't take an accounting expert to know what most companies will do with their cost-benefit analysis.

If it costs $1 million to protect the data, and $5 million to compensate customers who have had their information lost or stolen, the equation shifts. It's suddenly a relatively good investment, and that spans all businesses. A $5 million penalty could put many small companies out of business, so it's in their own best interest to do a better job of data protection.

Until we're ready to face this reality, expect more pontificating and less protection.

1 comment:

  1. This looks like another case of government regulation that's all talk and little result. When will people learn the government isn't you friend.


Please tell me what you think.