Payment card security standards are a joke

The user experience doesn’t get much better than credit or debit cards. You hand over the card, you swipe, you sign or punch in a PIN, and you go. Compared to a lot of other transactions we make through technology, that’s pretty fast. Most people outside the industry probably have no idea the snail’s crawl at which the industry behind those cards is moving to protect them.

Now that the Payment Card Industry (PCI) Security Standards Council has proven itself ineffective with a security standard that many retailers have seen fit to ignore, it’s no surprise that it’s reconsidering its approach. PCI-DSS was supposed to be in place among U.S. merchants by now. To a large degree, that hasn’t happened. Now the PCI is reportedly working on a new set of standards, and it’s starting the easy way. Before the end of the year, the Council will offer a self-assessment questionnaire that firms would have to fill out at their banks’ request. It’s not yet clear who would have to do the due diligence to ensure the answers on such a form are genuine, and what happens to those retailers who are almost, but not quite, there. Extensions to compliance are what allow things like the TJX fiasco to happen in the first place. If the Council keeps on this way, it will continue to lose credibility.

The whole thing is an example of how nimble and quick-footed hackers are compared to the bureaucracy that surrounds standards bodies. Only now is the Council really looking closely at wireless security issues, when it has been clear for some time that hackers broke through TJX’s outdated encryption software. By the time it comes out with an approval process and picks out certified evaluators, there are bound to be a new series of vulnerabilities exposed that the latest guidelines won’t cover. This isn’t meant to sound discouraging, but the current standard, PCI-DSS, advocates the use of intrusion-detection systems and firewalls. There isn’t a lot of evidence to suggest the standards are offering anything beyond common sense.

Banks and credit companies like to think they are in charge of this situation because they could, in theory, penalize retailers. In most cases they won’t dare do that, however, given that it threatens their relationship with the channel they depend on for their business. The Council efforts’ are handicapped by the fact that implementing its standards involve the purchase of equipment, configuration, deployment and bug fixes. In other words, they are adding another project to the already-busy workloads of retail IT departments. If we accept the conventional wisdom that more than half of all IT projects either fail or miss deadlines, then the Council’s expectations are unrealistic. And yet no one would say it’s unrealistic for consumers to expect the data they authorize to pass through those networks to be secured.

Perhaps along with standards that offer a minimum level of protection of retail data, the industry should at least explore tailoring ITIL or other process frameworks to show merchants how they can adopt these best practices smoothly and efficiently. Otherwise, there may not be much point in having such a council at all. Before they pass out the self-evaluation forms, maybe the PCI Security Standards Council should conduct one of its own.