A Friday Afternoon Conversation About PCI DSS
So I should be doing a million other things beside this, but….
I was thinking while I was driving today about PCI (yeah, that might be an indicator that I think about Risk Management too much). And it occurred to me that PCI DSS might have it all backwards. Now I’m just thinking out loud here, and throwing this blog post up on a whim (for Twitter conversations that are happening in parallel) so be polite/nice…
1.) As Jack likes to say, all control efforts are centered around Prevent/Detect/Respond. An if we can prevent at 100% efficiency, we don’t really need to care about D & R. Similarly, if we can D/R at 100% efficiency, we don’t really need to care about Prevention. But the real world is ugly, and you’ll never get 100% at any level.
2.) The concept of Defense-In-Depth is that we have multiple layers of P/D/R. They work together such that if the first layer Prevention is compromised (P^1), then D^1/R^1 significantly contributes to a second layer of P for subsequent PDR efforts we could call P^2/D^2/R^2
3.) Assuming that all the PCI PII is good for is either the fraudulent purchases or obtaining more credit, then….
At a very, very high level, PCI DSS could be thought of to be P^1 in terms of protecting the consumer against the threat actions in #3 above. The fraud in #3 there is an action that has a separate P/D/R - P^2/D^2/R^2
What we really should care about is that we don’t have to get to R^2, because that means we have to spend money we weren’t planning on spending.
PCI 2.0? (Please don’t hate me for using 2.0)
There are those that believe that all this focus and effort at P^1 is economically wasteful. So what would our options be?
It would be to give up P^1 (in a very Jericho manner) and focus on D^1/R^1 as a means to prevent the success of threat actions at P^2 and eventually getting to R^2 (#3 above).
So that might be Credit Cards with one time passwords, facial verification steps (my Grandmother had her picture on her credit card), etc… at the PoS. Alternately, it might just be to eat the cost of ID theft protection/insurance for every consumer that bought something (If I’m CSO of Macy’s I work to build the cost of Debix into the annual CC fees the consumer spends anyways).
This wouldn’t perfectly eliminate fraud, obviously, but it would probably cost the overall economy less than the cottage industry of PCI compliance, allow retailers to focus on being retailers and not financial institutions.
So for PCI 2.0 could we just switch to focusing on hyper effective POS authentication at D^1 and ID Theft at R^1 to do extremely effective P^2 (the actual use of the information)?
P Dec 5
Speaking of Macy’s…which areas of fraud are most likely to result in loss, some compromised or insecure CC process or plain old merchandise theft? And given that metric, control spending should focus on the areas most likely to realize loss.
I was in NYC over Thanksgiving and happened to be standing in Macy’s waiting for the family to meet at the pre-designated spot which happened to be by one of the entry/exit doors. There was a gazillion people coming in and out looking for the latest Macy deals, and that theft alarm monitoring system at the door was going off non-stop.
I couldn’t help but wonder how much stolen merchandise was walking out the door and how did Macy’s calculate their expected loss during the Thanksgiving sale versus how much they should spend on more security controls to prevent (what is the right business balance) - because they certainly were detecting something, and I didn’t see much response!
Alex Dec 5
@P - you would hope so!
I’ve had the pleasure of working with some retail Loss Prevention groups and seeing them use FAIR. Let’s just say their approach was enhanced by FAIR - risk is risk - there’s acceptable levels, and unaccp. levels. The “transport layer” is irrelevant.
Ben Dec 5
There are a couple different ways to look at this. One would be the cynical (though perhaps correct) view that the point of PCI DSS is to pass liability downstream instead of directly addressing weaknesses in online use of credit cards (see one such direct approach here: http://www.schneier.com/blog/archives/2008/12/credit_card_wit.html).
Another way to look at it would be that PCI DSS is P^1 for the credit card companies, designed to front their more extensive anti-fraud capabilities at the P^2/D^2/R^2 level. Remember, the credit card companies are driving these requirements, not the companies that enjoy the benefits of using the cards for customer payments.
So, taking this latter perspective in mind, then what this means is that companies processing credit card numbers on the web should not view PCI DSS as prescriptively as they do, but rather view it as their own P^1, and thus need to implement their own P^2/D^2/R^2 level to protect themselves. This point is especially important given my first point, in that PCI DSS seems to be designed to pass liability downstream, away from the credit card companies themselves.
fwiw.
shrdlu Dec 5
The answer to your question is “no,” for legal reasons. If you don’t spend any money on prevention, you won’t be seen as exercising due care. Likewise, if you just buy ID theft protection, your counsel will see it as you implicitly admitting that you’re responsible for any misuse of those CC numbers.
Chris Hayes Dec 8
It pains me to have to comment on anything PCI related.
The scenario you pose in giving up P^1, would be effective for merchants that do not store primary account number (PAN) electronically. But for those merchants that store PAN, every use case where PAN is accessed - or systems that contain PAN are accessed (or transmit PAN) - could contain multiple layers of P/D/R. However, one deficiency – yes, one deficiency – can make a merchant out of compliance.
This is one of my many frustrations with PCI-DSS. The focus appears to be on the “letter of the law” versus the “intent of the law”.
Finally, I do not think that all of PCI-DSS is P^1. PCI-DSS does have requirements for D and R. However, validating some of these requirements by a QSA is probably not an easy task – short of having a mock breach and seeing a merchant in action.
??????? ???????? Jul 13
? ? ? ????? ? ?????????…
Banker Sep 9
???????!
???????? ??????????!