Chinks in the Plastic

MUMBAI, INDIA: Verizon Business’ latest PCI 2011 report talks about the state of credit-card security and cardholder information that remains at risk, despite industry-wide efforts to strengthen it. In its second year, this report, created by the authors of the Verizon Data Breach Investigations Report (DBIR), demonstrates that most businesses are still not compliant with the Payment Card Industry Data Security Standard, which can lead to the loss of confidential customer information and credit-card fraud. 

Ashish Thapar Principal Consultant, Professional Services from Verizon helps us make sense of all the numbers and trends that a recent report of status of PCI-DSS poured out. He gets out of and atop the forest of some incidents and threat minefields to give us the big-picture view as he interprets the gaps and translates them into steps necessary for future.

What have been the major highlights of this report if you were to pick them?

Our team conducts research on the entire ecosystem that not only includes PCI DSS  (Payment Card Industry Data Security Standards) but also PIN TSS (PIN Transaction Security Standard) and PA DSS (Payment Application DSS). This report was based on assessment of clients (across BFSI, Financial Services, ITES, Federal entities etc) on criteria of compliance. What we discovered was that the compliance situation is not something that has either improved or worsened. Only 21 per cent were fully compliant at the initial audit and this shows a gap when we talk of PCIDSS. About 65 per cent were not PCI-DSS compliant and that explains many breaches.

Why?

The requirements are three pronged — protecting card holder’s data, tracking and monitoring access; and following regulatory test systems and processes. These requirements are where organizations really struggle a lot because pieces of data presence are vague and not known. Organisations are not doing functional testing or ethical hacking or looking at logs and spotting terms of breach. Whatever you do, document and vice versa. But many gaps exist.

Does compliance effectively translate into the essence of security?

Targeting compliance is good for a point in time or a tick in the box. But security should be helpful in overall governance which calls for a larger strategy or a bigger plan. That should be in line with the business priorities. Compliance should be the output.

Would you say that issues like it are an ‘at-your-expense’ model or ‘comply-or-be-fined’ approach help or deter the very intent of PCI-DSS?

As a technology service provider, this is a contractual requirement because it is a qualifying criterion. From a diligence perspective, it is again a good model to follow and it acts as a business enabler. That takes care of the carrot part. As to the stick part — Financial institutions or merchant providers take care of that. It gets driven by a chain of five credit card majors so even though there is no statutory mandate, the ecosystem drives it. That means issuing bank, acquirer bank, other payment gateways and associated fines. If a data breach occurs, there comes in the deterrent approach. A merchant or service provider becomes liable to pay all damages to payment card brand as well as forensic investigation expense. Both approaches work as per situation.

Would new technologies like NFC (Near Field Communications) or PIN be good news?

There are three ways- physical, mail reader and Internet. There are technologies available in the market space to become compliant for a ‘car-not-present- scenario. Nowadays, chip-based card authentication is coming up over magnetic one, but backward compatibility is an issue there. Though it would be nice to have as in case of magnetic one, siphoning off a card’s details to create counterfeit cards is easy.