Recent payment card data breaches in the headlines have led some here to criticize PCI standards. Elsewhere, the US government is scrutinizing how merchants and banks are securing card data.
The problem with payment card security is not the PCI standards, it’s people. Don’t get me wrong. PCI is not perfect. I am both a supporter and critic of PCI. But PCI is a reflection of the world we live in. We are not yet mature enough to deal with the threats that are clearly in front of us.
As few as 10 years ago, IT security was seen as a necessary evil. It was like car insurance. If you drive a car, you need to have insurance. But you feel like you waste your money every month, if you never get in a crash. So, it wasn’t cultural to overspend on security but rather to do the bare minimum. We didn’t see headlines about 100 million credit cards being stolen a decade ago, so attitude towards security was different then.
You are Probably Already Breached
Clearly things have changed. Anyone following security trends over the last few years realizes that there is a new mentality. It is no longer a matter of if you will be breached and how to prevent it. If you are a lucrative target, you are likely breached already. The new truth is not to avoid being breached but to minimize the amount of successful attacks once they get in and to be capable enough to stop the damage as soon as possible, or before the actors can steal the data they are after.
It is no longer just about defending a perimeter, but about the ability to disrupt the intent of the attackers. We need layers of security and an approach that combines people and process with technology. This is what the PCI standards do. This is the new reality.
Today there are new complexities and new attack surfaces. This has nothing to do with any proposed failures of PCI; it just reflects this new reality. It has to do with the fact that thieves are making billions of dollars. According to Verizon, fraud was responsible for about $2 billion around the year 2000. By 2012, it climbed to $12 billion. That is a steady return for criminals, and I don’t think that is going to change.
A New Attitude for a New Reality
In a recent report, Verizon states that when it conducted PCI assessments, only 10 percent of the merchants they visited passed their baseline compliance audit in 2012. Clearly, many merchants are having trouble becoming compliant or maintaining compliance year round. As the breaches continue to grow, it is easy to point a finger at PCI and say that we need something better. And I agree. But it’s not a new standard or a federal regulation we need — it’s a new attitude.
Over the last decade, I have been working in the security space with some of the largest companies across the world. Some take security very seriously, and some just want to do the minimum. In this modern world of risk, even the companies that are taking threats seriously are not entirely safe.
A new attitude towards security needs to be supported throughout the company starting at the highest level. This attitude needs to take security seriously. It means hiring well-trained staff and paying them well. It means purchasing quality security systems. It means developing a security strategy and policy that is proactive and not reactive.
With this renewed vigor and vigilance, companies are still not safe. But, they are much safer than the ones that don’t have it – the statistics prove it. And that is the unfortunate reality that we must all face. We are not safe. Anyone who thinks any security standard can save us all is still not listening to the music.
The PCI standards, however, are today’s best prescription for minimizing the likelihood of a breach and for helping to mitigate the damage. There is no alternative or silver bullet to shoot the monster with.
It all comes down to that well-known punchline from an ominous joke: You don’t have to outrun the bear, you just have to outrun the slowest runner.
Christian Janoff is a Security Solution Architect at Cisco Systems with over 15 years of solution architecture and design experience. Christian leads Cisco’s participation on the Payment Card Industry Security Standards Council. Prior to Cisco, he worked as the network engineering manager at leading retailer Safeway. Christian is a member of the PCI Security Standards Council Board of Advisors.