Friday, 14 October 2011

PCI Should Focus on the Real Problem

The Payment Card Industry (PCI) security standard gets a lot of press – but does it address the fundamental problems that still exist in the card/payments industry? Um, no, it doesn’t. Not even close.

I had a very enjoyable argument with my friend and colleague Nathan Clevenger at Interop on the subject of local apps vs. applications hosted in the cloud. I won't revisit that topic here since my preference for the cloud is on file, and you can read more about the impromptu debate in Philippe Winthop's posting (really, live coverage of the discussion) if such is of interest. The important point to take away from this argument is Nathan's assertion that PCI (see below) has blessed, at least in some cases, the concept of local apps. My response was that it's my belief that PCI is in no position to do so and has in fact failed us all, and their position on what's acceptable is most certainly not in the interests of us mere users of their products.
PCI, short for the Payment Card Industry Security Standards Council, is best known for their Data Security Standards (PCI DSS), some of which has a lot to do with wireless LANs. This is all well and good, as far as these standards go. My argument is that, regardless, they are incomplete, resulting in glaring security holes that create a potential burden for end-users while minimizing the impact on the industry. Sound familiar? Customers are prey. Customers deserve no respect. Customers are marks. Take their money and run. Shear 'em and put 'em out to pasture; they're stupid, and no matter how badly we treat them, they'll be back. You get the idea. OK, fine - PCI is, after all, a trade association, not a customer advocacy group.
But back to business here. If you're involved in security of any form, the PCI DSS standards are worth a look. The V 2.0 document is 74 pages long and chock full of interesting details. Many of the requirements are great ideas all by themselves, and much of what's here is applicable to any industry, not just payment cards. Those elements that pertain to card data, like data retention, encryption, and such, are fine as is. But my big complaint is with respect to the lack of authentication for cards themselves, a/k/a failure to address the fundamental problem.


My big argument with PCI is that the cards themselves remain notoriously insecure. The industry seems to have made the calculation that fraud is best dealt with after the fact, because (presumably) solutions to deal with fraud before it occurs would be even more expensive. After all, fraud might be detected by the card servicer (I've received calls about "suspicious" activity on my cards, and, thankfully, there was none), but a lot of fraud is reported much after the fact by the consumer, when the bill arrives. Some fraud just isn't caught at all, as many people don't go through their credit card statements line by line.

But just think - if we could actually use the unembossed card security code (usually called a CVV2 code) on the back of the card, fraud could disappear overnight. Here's how it might work: you charge something, and subsequently receive a message of some form indicating that there is activity on your card. You then log into a secure site, enter the CVV2 code (which is not printed on the card and thus acts like your "private key"), and, and voilá - out-of-band, two-factor authentication. Don't recognize the charge you're being asked to authenticate? Everyone goes home happy, except, of course, the thief. This would work great for transactions where the card is not present at the point of purchase, like over the Web. And, of course, I'd require a similar PIN technique for all transactions taking place in person.

The problem, of course, is that once one enters one's CVV2 on the Web, all bets are off. Sure, the PCI spec says not to store this info, but why take the risk? Criminals could care less what PCI says and are happy to exploit gaps in security - a stolen card is compromised, period. Why hasn't the industry taken steps to eliminate fraud altogether? Because, again, why burden the industry when one can burden the consumer?
Look, good enough isn't good enough here. PCI ought to be producing solutions that meet the needs of the users of their products, and not just covering the industry's collective rear end. I know it's unfashionable to actually serve a customer today, and even to treat customers with respect, but, really, PCI can do better.

No comments:

Post a Comment