PCI: Dead Man(date) Walking?

Is Visa's program to eliminate the requirement for assessments in lieu of EMV (chip and pin) transactions the death knell for PCI? Not yet, but the writing is on the wall

Mike Rothman, Analyst & President, Securosis

April 25, 2012

4 Min Read

They say all good things come to an end, and the truth is most bad things end at some point as well.

So when I read Branden Williams' blog post on Visa killing PCI Assessments in exchange for originating 75 percent of transactions from EMV-enabled terminals, I immediately jumped to the conclusion that PCI is now on death row. The final execution date will appear when MasterCard and AmEx making a similar pronouncement.

If we have to write an obituary for PCI, what would it say? Overall, I think PCI has been very good for security. It provided a significant amount of funding to do the fundamentals. Even better, it actually spelled out the fundamentals with a specificity we hadn't seen from other regulation. It forced a number of midsize companies (Level 2 and 3 merchants) to have assessments, to take security (more) seriously, and to make some positive changes in their security posture.

So if PCI is very good, why is it a dead mandate walking?

It all gets back to the economics. Remember, few organizations on Earth do as much analysis on fraud as the card brands. Operating within an acceptable range of losses due to fraud is a critical success factor for a card brand. As such, when PCI emerged, the brands were at risk of blowing past that range and starting to cost some real money. Obviously that's unacceptable, so changes happened.

The brands mandated certain security controls in the form of the PCI-DSS and then used that as a mechanism to transfer responsibility for any data loss (and its cost to clean it up) to the merchant. But it seems that PCI has outstayed its welcome. First, let's look at the control set, which, due to a preponderance of political wrangling and winging on the part of the large merchants, is now updated every three years. As we all know, three years is a lifetime in this business, so the control set is getting old. Fast.

Second, most of the merchants that have not implemented PCI and maintained compliance aren't going to do so. They either are incapable or don't care. So there isn't a lot more to gain by continuing to shove PCI up the merchant chain's backside.

Now let's look at transference of responsibility. There has been this idiotic stance by the PCI Council that no breached corporation could be PCI-compliant. They didn't want to (or couldn't) publicly accept that the control set just wasn't good enough. That it was a lowest common denominator, but in no way sufficient to deter today's attackers. That would give the merchant standing to push back on having to accept responsibility for a data breach. So after every high profile breach, the PCI Council would maintain the breached organization wasn't compliant -- ROC or not. It's compliance by time machine, and it's ridiculous. How long before you think a merchant starts litigating when they get a huge bill?

Remember that the card brands are all about reducing fraud losses, and it's unlikely they have an attachment to the PCI Council. In the presence of a new shiny object that promises to reduce loss, they'll go in that direction and their experience in Europe with EMV must lead them to the conclusion that EMV (Chip and PIN) equipped cards reduce the likelihood of fraud. Visa's program says they will waive the PCI assessment if 75 percent or more of a merchant's transactions happen on EMV chip-enabled terminals. So it's an either/or type of thing, but given the amount of money most organizations spend on PCI compliance, it really means go to EMV.

What if you like the status quo and equipping all the stores with EMV capable devices isn't a good option? It'll cost you, starting in late 2015, with a liability shift and likely higher transaction costs -- which is always how the card brands incent the behavior they want. They make it a lot more expensive to not do what they say. Amazing how that works.

Of course, as Branden points out, MasterCard and AmEx have not yet made similar pronouncements, so you can't fire your PCI Assessor yet. But it's just a matter of time. You know it and I know it. And we security folks will have to find another compliance muse to fund our projects. Or maybe just start wielding the APT FUD hammer a lot more aggressively. Maybe bring Richard Clarke in for a board meeting or something. He's like the Thor of FUD nowadays.

Mike Rothman is President of Securosis and author of the Pragmatic CSO.

About the Author(s)

Mike Rothman

Analyst & President, Securosis

Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and compliance. Mike is one of the most sought after speakers and commentators in the security business and brings a deep background in information security. After 20 years in and around security, he's one of the guys who "knows where the bodies are buried" in the space.

Starting his career as a programmer and a networking consultant, Mike joined META Group in 1993 and spearheaded META's initial foray into information security research. Mike left META in 1998 to found SHYM Technology, a pioneer in the PKI software market, and then held VP Marketing roles at CipherTrust and TruSecure - providing experience in marketing, business development, and channel operations for both product and services companies.

After getting fed up with vendor life, he started Security Incite in 2006 to provide the voice of reason in an over-hyped yet underwhelming security industry. After taking a short detour as Senior VP, Strategy and CMO at eIQnetworks to chase shiny objects in security and compliance management, Mike joins Securosis with a rejuvenated cynicism about the state of security and what it takes to survive as a security professional.Mike published "The Pragmatic CSO" in 2007 to introduce technically oriented security professionals to the nuances of what is required to be a senior security professional. He also possesses a very expensive engineering degree in Operations Research and Industrial Engineering from Cornell University. His folks are overjoyed that he uses literally zero percent of his education on a daily basis.

He can be reached at [email protected]. Follow him on Twitter @securityincite

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights