back to article Can't stop Home Depot-style card pwning, but suppliers will feel PCI regulation pain

Third-party providers will face more stringent regulations as part of a revamp in payment card industry regulations due to go into full effect in the new year. The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information …

  1. Gis Bun

    PCI DSS is a joke [maybe was]. Look at all the breaches and these companies were PCI approved.

    I worked at a place. Though not involved, I would see credit card information lying around. It was ridiculous. I could of walked home and sold the information on the Internet. Problem was that version 2 said under a certain number of sales, PCI DSS wasn't a requirement.

    There was so many holes in our security and the IT manager couldn't care less.

    1. JimmyPage Silver badge

      PCI-DSS doesn't exist in isolation

      but needs to be hooked into a national regulator that has the teeth. Primarily in the UK, that being the FCA (formerly FSA). Who have the power of fine, and are certainly not afraid to use it. I really wouldn't want to be working for anyone who suffered a breach in the UK. PCI approved, or not.

      If the regulator is useless, then there's no incentive to comply with PCI.

      1. Ugotta B. Kiddingme

        @Jimmy Page - Re: FCA

        UK are now using the Ferenghi Commerce Authority as a regulator?!? Wow. Yes, that would definitely be an organization with "teeth"...

    2. tfewster

      PCI DSS is NOT a joke

      I believe those retailers that have lost data have agreed to cover the [customers|banks] losses and the cost of credit monitoring; The alternative is to have card facilities withdrawn, which would have crippled them.*

      That's a threat with teeth, and it's neither necessary nor desirable for Government to be involved.

      You're right that there are still many bad practices and that self-certification hasn't eliminated those practices. Any IT manager that ignores those problems is putting their career and their organisation at risk.

      * IMHO, any merchant that stores the CVV2 code in flagrant violation of the PCI DSS rules should have this sanction applied no matter what the excuse.

      1. Anonymous Coward
        FAIL

        Re: PCI DSS is NOT a joke - WRONG!!!

        Ummmm ..... yes it is! I have tested 2 ASVs (Tenable and Qualys), and their scanner spends 20 minutes and 15 minutes respectively on one of our sites.

        I emailed the "PCI Security Standards Council" about ASVs scanning just a mere fraction of pages on the website, and how is it that they can certify compliance with such an absurdly inadequate scan ..... and NOTHING, EVER......NEVER. I have never receive a reply from them.....EVER.

        PCI is a total waste of legitmate time. Small companies don't even understand a fraction of the Self-Assessment Questionnaire, so this is how they answer:

        Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Yes, Why'd we get compromised?

        Then you get a QSA that known nothing about technology just happy to check his boxes, and flex his atrophied muscles over things that have nothing to do with anything. FARSE .... Totally!

  2. Anonymous Coward
    Anonymous Coward

    Self Assessment is the problem

    Anon obviously - any self assessment for security is a joke - half the time the folks answering the questions have no idea what the question is - I see this all the time. They just read through the questions and look for the right answers.

    I'm reassessing our company security at the moment and everywhere I look I can see ways to break in - I can fix those, but the deeper problem is the information on credit cards that sits in emails, email clients and printed out on peoples desks.

    Realistically I don't see any way to fix this problem except to move to a payment system that doesn't require passing the card numbers around.

    1. Old Handle

      Re: Self Assessment is the problem

      I'm really starting to think that having each transaction digitally signed by the payer is the only system that makes sense. Yeah, like bitcoin. But it could still be done with centralized authorities (i.e. banks).

  3. Anonymous Coward
    Anonymous Coward

    Why should it just be the IT Managers responsibility?

    This is the main problem; this PCI standards need to be directed to everybody in the company not just the IT Manager. In my rather small business, I can tell the sales staff not to write a customers credit card number down in a book, but they will still do it. I'm in no position to discipline them, or keep tabs on them all day to ensure they comply.

    PCI standards when they arrived were treated like a joke by the company owner and manager. Clearly IT stuff, nothing to do with them or the rest of the staff. I've still managed to push through PCI compliance but it's an up hill struggle. Maybe PCI standards should target their education towards business owners + managers rather than just the technical side?

    1. Keven E.

      There's something missing

      "I can tell the sales staff not to write a customers credit card number down in a book, but they will still do it. I'm in no position to discipline them, or keep tabs on them all day to ensure they comply."

      It sounds like your in charge enough to feel you should "tell them", but not enough to "discipline them"... yet you know that"they still do it"? Hmmmmm..... here's a helping hand policy to start with: "Three strikes and you're out." If you are "in charge" they must know they are risking your *situation (as well as their own).

    2. Anonymous Coward
      Anonymous Coward

      "Why should it just be the IT Managers responsibility?"

      it isn't, but the sanctions on the actual responsible managers are not effective; for them to be so, there has to be both company- and a personal- level pain for the business and managers who actually are responsible.

  4. Alex Brett

    The biggest problem I've found with the standards, is if the business doesn't fit into one of their standard categories stating which sections you can ignore, you have to go through the whole thing, which then entails you writing ream after ream of policy documents, which nobody is ever going to read / comply with in reality.

    (See http://www.alexbrett.net/blog/2013/05/open-letter-to-the-pci-ssc/ for more rants about PCI:DSS in general...)

  5. Anonymous Coward
    Anonymous Coward

    Agree with AC - not just an IT problem

    *Information* security is everyones responsibility in an organisation. There is no use having the bestest, most secure database ever, in the history of ever, if you aren't shredding your printed output before it leaves the office.

    I heard of an organisation that spend a considerable amount on IT, to try and achieve ISO27001, only to fail the assessment before the assessor had a chance to see any systems. He turned up 10 minutes early, and tailgated someone through the (cheap) swipe door. Now, you know why most new, and upgraded offices have the tube-style barriers that are much much harder to tailgate (my advice, don't try, they can put you in A&E with severe bruising)

  6. Kev99 Silver badge

    I still want to know why these idiots put sensitive, confidential, or proprietary information on the web. Other than they're too damned cheap to invest in security. In 80s and before credit card data was transmitted over dedicated telephone lines that were encoded at both ends. Yes, the business had to pay for the terminal and data line, but you'd think that would be a small price compared to the loss of their data and reputation. Apparently, making Wall Street et al. happy is more important.

    1. Version 1.0 Silver badge

      When you are dealing with academics you'll find that they will happily email you their credit card information if they need something in a hurry - that's right via plain text email.

  7. NP-Hardass

    A good step forward...

    While I don't think this addresses all of the issues, I think this new standard is a good stem in the right direction.

    1. Preston Munchensonton
      Joke

      Re: A good step forward...

      I would generally beleaf the same thing, but I do detest getting pistil-whipped by such compliance schemes.

  8. Frankee Llonnygog

    PCI compliant even if you don't process card data?

    Dear Payment Card Industry - get stuffed! What will you do if I don't comply? Force me to use PayPal instead? Hey Mr Foot, meet Mr Gatling Gun.

    You are the people who invented the laughable 3D Secure standard. Your complete failure to come to grips with security is just one factor that will lead to your inevitable and sudden doom.

    You have actually acheived the impossible and made Bitcoin look like a viable alternative.

    1. Fonant

      Re: PCI compliant even if you don't process card data?

      I tend to agree, the new apparent requirement for all e-commerce websites to self-assess their PCI-DSS compliance, even if the card handling is handled on completely different sites, seems to be a joke: how do they think they can enforce this?

      Will they ask PayPal and WorldPay to act as policemen, and to cancel lucrative card handling accounts if the shop website doesn't comply? That could perhaps work, but would both add significant costs to the payment providers and would also decimate their customer base. The small online shops would be forced to move to a few ultra-large e-commerce providers which could actually make things worse and lead to virtual monopolies (would you let PayPal run your online shop, as well as handling payments?).

      While the intentions are good, it's just not currently practical for the millions of tiny online shops out there to have to self-assess themselves for PCI-DSS compliance.

      Especially not with the new EU VAT rules next year. I can see a lot of small online shops closing down in 2015.

    2. Anonymous Coward
      Anonymous Coward

      Re: PCI compliant even if you don't process card data?

      And here is the problem, if you don't comply they still let you use the services, just charge you more and put more risk on the companies. This means that there is a business decision of cost of compliance vs risk vs image perception/customer impact of not taking cards. I've seen this situation and it came down to take the risk of a breach rather than stop taking cards.

      Imagine a case where the option is spend on old system or rely on moving to a new system where project was just signed off that will be complete 3 months after compliance date...... Then what happens when replacement system is over 12 months late. Easy to guess what the business decision will be, just limp along, PCI won't do anything unless there's a breach after all.

    3. Anonymous Coward
      Anonymous Coward

      Re: PCI compliant even if you don't process card data?

      "PCI compliant even if you don't process card data?"

      Our company a few years ago had a card security related problem. PCI audits done of the stuff deemed in-scope, everybody happy.

      Now I've had several issues with the usefulness of PCI for some years (I wasn't involved with the audit but it was done by a supposedly competent third party and it cost us many money). End of the process I'm finding exploits in code in bits the company uses that the third party auditor deemed not in scope.

      Here's where the article and my story link:

      Those bits of code were directly linked to code that redirects customers to other systems that send customers to a third party processor. If that code is exploitable (and I'm not saying a PCI audit would show it which is one of my other issues with PCI - that it relies on blind pen testing rather than a real audit of security which I did in parallel to the actual process) that system can now redirect the card information collection to <elsewhere>. What I'm saying is there's a *damn* good reason these systems should be in scope - and it's been one of many points of ridicule as regards to PCI over the years.

      Sure you can take Paypal - but you're going to have to pay Paypal's (absurd) processing fees and good luck when they lock your Paypal account every 3 weeks (this happens to any business that isn't ebay and nobody to my knowledge knows how to stop it).

      You could handle bit coins but you're going to have money laundering regs issues out the arse, you'll struggle to get banks to deal with the payments in volume anyway (for legitimate and not so legitimate - anti-competitive - reasons) assuming you can deal with the processing and exchange fees which are worse than Paypal's and that's assuming you can exchange in volume in the first place (as somebody who knows bitcoin inside-out; you absolutely can't).

      Also not for nothing but 3d secure isn't absurd so much as the bank's handling of it.

  9. elip
    WTF?

    when will they have to comply?

    I'm just wondering when the major credit card companies that make up the PCI Security Standards Council will finally have to be compliant with their own standard? I know via 2nd hand info, from folks that have directly performed audits against Visa and Master Card (also against *all* of the major US banks), that not a single one has ever been PCI-DSS 2.0 compliant. The standard is worthless and meaningless, as long as the companies are allowed to simply purchase insurance to cover their negligence and eventual breaches.

    1. Fonant

      Re: when will they have to comply?

      WorldPay was, rather embarrassingly, non-compliant with PCI-DSS for some years. I think they've sorted it now.

    2. Charles 9

      Re: when will they have to comply?

      "The standard is worthless and meaningless, as long as the companies are allowed to simply purchase insurance to cover their negligence and eventual breaches."

      But don't the insurance companies get theirs back at the retailers by hiking their rates after a breach? I know that's how it's done in the auto insurance industry and other insurance industries: the higher your risk profile, the higher your rates.

    3. streaky

      Re: when will they have to comply?

      "The standard is worthless and meaningless, as long as the companies are allowed to simply purchase insurance to cover their negligence and eventual breaches."

      The cost of the insurance is weighed against the threat of breach. Assuming the insurers know the status of their security (and they'd be mad not to) that's the insurers and their underwriters problem, nobody else's.

  10. Mark 85

    Hmm....

    Given that a business will do everything in it's power to reduce costs even on critical systems, there's a bit of hole here. : The person who tests the system cannot be the same individual who manages or administers the system. So the boss grabs and admin and says :go home and see if you can break in." Testing done.

    Another hole they'll jump into is "periodic testing" of POS.... what time frame?

    I'm also assuming there's a lack of penalties? Without enforcable standards backed by penalties, it will get paid lip service to since following the PCI will cost a few dollars.

    1. Anonymous Coward
      Anonymous Coward

      Re: Hmm....

      "I'm also assuming there's a lack of penalties? Without enforcable standards backed by penalties, it will get paid lip service to since following the PCI will cost a few dollars."

      The penalties will be assessed by Visa and the like. Companies that are not PCI-compliant pay greater interchange fees or, worst case, get denied use of their services. And as noted earlier, if a company is found at fault for a credit card breach, they get to foot the bill.

  11. Mad Chaz

    The blame game and lack of responsibility.

    The issue is that the people who COULD force the proper practices are the very ones who have all the incentives not to. The people in charge of IT are, 999/1000 of the time there to keep the budget to a minimum and rarely know how to even turn the color box on without help.

    So it's "I can save here, here, and here" instead of "we have to spend X on this or we could face Y in the future".

    When the penalty for a BREACH is you loose the ability to process payments until you can SHOW you took proper precautions to convince a third party you did your homework properly, as well as LARGE fines if you fail to disclose any such breach and are found out, we'll start to see some pro-active managers.

    Until the idea of loosing the consumer's data equals "we will loose the entire buisness and I will not only loose my job, but also my golden parachute and I might face jail time if we don't do this right " in the mind of the people paying and approving the expense, it will continue to get worst.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon