Is PCI Compliance working?
PCI Compliance, the credit card industry's standard for helping vendors avoid threats, is playing a big role is making credit card processing systems more secure. But does it really work?
PCI DSS, Payment Card Industry Data Security Standard, helps organizations that process card payments prevent credit card fraud and other security threats. It involves proper password management, network security (using a firewall), encryption of data in transit and while being stored, data access controls, and other measures. Most relevant to the content of this site, is the obvious need to encrypt sensitive network traffic using an SSL certificate.
Though it is hard to see a problem with having such a standard, some are concerned about whether the standard really works to protect consumer credit card information and prevent fraud. There have been some recent cases where credit card information was stolen despite vendors following PCI Compliance standards. One of these is the Hannaford Brothers grocery chain. According to the news report:
A security breach at an East Coast supermarket chain exposed 4.2 million credit and debit card numbers and led to 1,800 cases of fraud, the Hannaford Bros. grocery chain announced Monday.
Hannaford said credit and debit card numbers were stolen during the card authorization process and about 4.2 million unique account numbers were exposed.
The breach affected all of its 165 stores in the Northeast, 106 Sweetbay stores in Florida and a smaller number of independent groceries that sell Hannaford products.
It appears that there was some sort of a network breach, such as malware or a full network attack, in which a sniffer was possibly installed. Andrew Codrington commented on this saying:
Some are saying this shows PCI is ineffective: “In other words, PCI is worthless”
I disagree. (Even though one of my own credit cards was apparently duplicated in the last couple of weeks, giving someone a lucrative weekend shopping spree through central Ontario…)
While the Hannaford breach clearly demonstrates that PCI needs to go further before it is an effective weapon, there is no doubt that it is moving the payment industry in the right direction.
I think the biggest problem is how flexible the PCI Compliance process can be. This allows for more organizations to be able to process credit cards but can lead to problems if a vendor thinks they are secure because they are "PCI Compliant" when they really need to do much more to maintain full security.
Still, as Andrew says, the standard is certainly a step in the right direction. I think Evan Schuman sums it up the best, "Please don't give up on PCI because it's proven to not be a perfect protector. Giving up "pretty good" so that you can mount an impossible search for "absolute" is exactly what every cyberthief in Eastern Europe wants you to do."
Originally posted on Sun Apr 13, 2008