OK, so I lied unintentionally all those months ago when I said I wouldn’t write any more PCI-DSS posts.
My impetus for this blog post is a PCI-DSS panel at ShmooCon that several of my friends (Jack Daniel, Anton Chuvakin, Mike Dahn, and Josh Corman, in no particular order) were on. I know I’m probably the pot calling the kettle black, but the panel (as you would expect for any PCI-DSS discussion in the near future) rapidly disolved into chaos. So as I’m sitting in the audience watching @Myrcurial’s head pop off, I came to the realization that this is really 4 different conversations disguised into one topic:
- The Cost-Benefit Assessment of replacing credit card # and CVV2 with something else–maybe chip and pin, maybe something entirely different–and what responsibility does Visa and Mastercard have towards protecting their business. This calls for something more like an ROI approach because it’s infrastructure projects. Maybe this CBA has already been done but guess what–nobody has said anything about the result of that analysis.
- Merchants’ responsibility to protect their customers, their business, and each other. This is the usual PCI-DSS spiel. The public policy equivalent here is overfishing: everybody knows that if they come back with full nets and by-catch, they’re going to ruin the fishery long-term for themselves and their peers, but they can’t stop the destruction of the fishery by themselves, they need everybody in the community to do their part. In the same way, merchants not protecting card data mess over each other in this weird shared risk pool.
- Processor and bank responsibility. Typically this is the Tier-1 and Tier-2 guys. The issue here is that these guys are most of the processing infrastructure. What works in PCI-DSS for small merchants doesn’t scale up to match these guys, and that’s the story here: how do you make a framework that scales? I think it’s there (IE, the tiers and assurance levels in PCI-DSS) but it’s not communicated effectively.
- Since this is all a shared risk pool, at what places does it make sense to address particular risks? IE, what is the division of roles and responsibilities inside the “community”? Then how do you make a community standard that is at least reasonably fair to all the parties on this spectrum, Visa and MasterCard included?
PCI-DSS Tag Cloud photo by purpleslog.
There are a bunch of tangential questions, but they almost always circle
back to the 4 that I’ve mentioned above:
- Regulatory capture and service providers
- The pitfalls of designing a framework by committee
- Self-regulation v/s legislation and Government oversight
- Levels of hypocrisy in managing the “community”
- Effectiveness of specific controls
Now the problem as I see it is that each of these conversations points to a different conversation as a solution and in doing so, they become thought-terminating cliches. What this means is that when you do a panel, you’re bound to bounce between these 4 different themes without coming to any real resolution. Add to this the fact that it’s a completely irrational audience who only understand their 1 piece of the topic, and you have complete chaos when doing a panel or debate.
Folks, I know this is hard to hear, but as an industry, we need to get over being crybabies and pointing fingers when it comes PCI-DSS. The standard (or a future version of it anyway) and self-regulation is here to stay because even if we fix the core problems of payment, we’ll still have security problems because payment schemes are where the money is. The world as I see it is that the standards process needs to be more transparent and the people governed by the standard need a seat at the table with their rational, adult, and constructive arguments on what works and what doesn’t work to help them do their job to help themselves.