Standard Not Set in Stone

Remember the TJX customer-data debacle? 94 million credit cards were stolen by hackers. PCI—the payment card industry's security standard—could have minimized the damage. Comply now or repeat the retailer's record-setting breach.

Standard Not Set in Stone

The PCI Security Standards Council has got its work cut out. Not only will it need to help laggards over the last hump, but it must maintain the standards so they’ll keep up with the most recent threats.

“It’s a changing landscape, and the hackers are getting smarter,” Russo says. “Will the standard ever be complete? I doubt it. It’s more of a journey than a destination.”

Although the council has yet to release specifics, most insiders expect a new PCI standard update involving the encryption of personal identification number (PIN) entry devices, the establishment of payment application best practices, and tweaks to the self-assessment questionnaires for Level 3 and Level 4 merchants. But merchants shouldn’t be wary, Russo says, since all changes will be made with ample contributions from advisory board members from all parts of the payment card lifecycle.

“Contrary to popular belief, it is not our intent to bring out a new standard to put everybody out of compliance,” Russo says. “And we don’t sit in an ivory tower and pick this out of the air; it’s all based on real-world experience from participating organizations.”

The real goal, Russo says, is to keep cardholders safe. And while most security gurus would agree that PCI isn’t a silver bullet, it will go a long way toward shielding retailers’ records from the bad guys.

Unfortunately, this lesson wasn’t learned soon enough to prevent the TJXgaffe. Many experts believe that if TJXhad been PCI-compliant prior to its breach, the situation would not have been as severe as what came to pass.

True, WEP wireless security was the first point of penetration in the TJXhack, and at the time PCI standards did not require WPA encryption. But experts believe that it really was the mediocre security endemic to the TJXinfrastructure that gave attackers such unlimited access to customer data. TJXsecurity and PCI compliance efforts had so many holes that what could have been a minor wireless hack turned into a massive breach.

“If TJXhad been PCI-compliant, there is no doubt that this breach could not have had the scope or lasted the length of time that it did,” says Sentrigo’s Osnat. “It’s very, very unlikely. They did not get access to the hundred million credit card numbers just by intercepting wireless transmissions. That would have taken a very long time, much longer than 17 months.”

Perhaps one of the biggest problems TJXhad at the time of the breach was not just that it was falling short of PCI mandates, but that its efforts to comply were geared toward adhering to the letter of the law rather than the spirit of the law. The e-mails dredged up through court proceedings certainly illustrate this point. “Check-box compliance,” or establishing a set of standards that can be loosely interpreted, could be one of PCI’s chief weaknesses. In the end, the question will be how committed organizations are to protecting customer and cardholder interests.

“PCI is helping to set a minimum standard,” says Hughes’ Kenyon. “I think what it really has done is [act as] a vehicle for education, more than anything else—to really get the message down past the IT department to senior managers.”

PayPal’s Barrett believes that early resistance was mostly a byproduct of culture shock. Many retailers and other organizations that accept credit cards weren’t accustomed to having a third party mandate security controls—sometimes involving expensive upgrades.

“I think what you’re seeing is simply the fact that as a culture, as a sort of retail payments culture, there hasn’t been enough collective attention to this,” Barrett says. “And whenever you change culture, it always takes several years, and it’s always accompanied by lots of wailing and gnashing of teeth. But I don’t think any of that says either it’s the wrong thing to do or it undercuts the inevitability of the journey we’re on, because I do think in a few years we’re going to look back at this and say, ‘What the heck was all the fuss about?’”