Imagine you’re a merchant who just spent millions of dollars securing your point of sale systems with the latest endpoint cardholder data protection. You followed every PCI-DSS requirement, as well as the guidelines for point-to-point encryption and the best practices for tokenization. Every day, you answer the 15 questions on the Merchant Evaluation Checklist for Skimming Prevention–for every terminal you own.
Then imagine receiving a call one day that your store has been found to be the common point of compromise for thousands of skimmed cards. Whoa, you say, what did we do wrong?
The bad news is that, since the breach was at your location, by PCI’s definition you are now non-compliant. You fear reputational and financial harm, additional fines from the card brands, and the public act of contrition you’ll probably have to make.
So what happened? In this case, it turns out a clever con man set up a small stand in your parking lot every day during lunch hour. The stand had a simple message, “CLEAN YOUR CARD HERE – IT’S FREE.” And it turns out, over several weeks , he provided this free service to thousands of unsuspecting consumers, who happily “cleaned” their debit and credit cards only to discover days later that their bank accounts had been emptied and their lines of credit decimated. Could you have prevented this breach? Who actually exposed the data you spent millions trying to safeguard?
The PCI Council, which manages the standard, is now promulgating new rules for devices that read cards. Dubbed SRED for Secure Reading and Exchange of Data, the rules say card readers will need to undergo testing, certification, and listing on the Council Web site, at considerable time-to-market and financial expense to vendors and a handsome profit to the Council (which we will simply call “PCI”).
You may think this is a good idea, but the logic is flawed.
The strongest encryption, including SRED, cannot protect data that have already been written on the blackboard. The serial number on a $20 bill cannot be protected with encryption. It’s visible.
Similarly, the cardholder data encoded on a magnetic stripe are in the clear. They consist of strings of zeros and ones: a machine-readable magnetic barcode. Twenty characters are printed or embossed on the front of the card. The other sixteen characters can be viewed just as easily. They cannot be considered sensitive or secret.
Think of it this way: Suppose the data on the magstripe were written in Braille rather than binary code. Just because you can’t read Braille doesn’t mean the data are secret. Braille is easily interpreted.
The data are unprotected on the stripe from the time they are first issued and must be delivered in clear text to the brands for authorization. But in the middle, it’s your responsibility as the merchant to shroud them. And now PCI will dictate exactly how!
Deny, Deflect, Distract
Imagine the irony: Heavily armored readers mandated for merchants to protect data–while an enterprising crook can use an ordinary reader (easy to find, and cheap), set it out on a stand in a well-traveled parking lot, add a tempting free service, and harvest thousands of usable card records.
The protection of cardholder data requires an authentication strategy, which PCI has routinely dismissed. PCI is not concerned with fraud reduction or genuine cardholder data protection. Compliance is the name of the game. That’s how you’re measured.
PCI is a private rules company with a very pious persona. The PCI DSS is not a standard, it’s a strategy. It is an agent of the brands, who are its owners, and it exists solely to serve their needs. Make no mistake, its stated mission is to protect cardholder data, but its true purpose is to deny, deflect and distract. It is the ultimate preserver of the status quo (weak merchants, strong brands) and a serious threat to innovation.
Two years ago, PCI presented a report prepared by Price Waterhouse Coopers. It touted encryption and tokenization to aid compliance and reduce scope. That same report said certain dynamic-authentication technologies had the potential to reduce fraud and even “eliminate the need for PCI.” But would PCI support technologies that could render it useless? The evidence says no.
Cardholder data can be protected, but not by the current onerous, ineffective, illogical PCI rules. The simple “CLEAN YOUR CARD HERE” story should be instructive. Encrypting readers and tokenization enable compliance, but do not and cannot prevent the disclosure of cardholder data.
On the other hand, an authentication strategy based on dynamic data would protect cardholder data, remove the incentive to steal the data, and actually curb fraud. Don’t be duped or distracted by reams of compliance instructions. The security they offer is an illusion. Insist on authentication.
How can we change the status quo? Don’t comply: Deny. Deny PCI the dues that keep it in existence. Deny PCI the fees they charge for Web-site listings. Deny PCI their hypocritical dogma and lopsided rule-making. Deny PCI their moralizing and patronizing forums. Deny PCI their expansionism. Deny PCI their voluminous compliance manuals.
Also, ask the PCI Council to do some deep soul searching and amend its mission. Compliance is not a worthy goal. Fraud reduction–to the point PCI is no longer necessary–should be its objective.
Make your voice heard! Occupy PCI! No tents necessary.