PCI and the Efficacy of Self Regulation

Tucked away in the conclusion of this article is an interesting question: is the PCI Data Security Standard effective? Actually, the question as posed, which was whether the PCI Data Security Standard in its current form is effective, is not particularly interesting (at least to me). The more interesting question is whether the PCI DSS, or any self regulation can be an effective counter to information security threats. I don't know the answer, but the article gives some indication that that answer might be no.

Of course, the article itself did not tackle the question of self regulation versus governmental oversight. The article was devoted to describing a new set of guidelines which is intended to facilitate the process of becoming PCI compliant. Apparently, there is a perception that some businesses look at the PCI requirements, become overwhelmed by what's necessary to comply, and, as a result, do nothing. The hope is that, by breaking things down and ranking them in terms of priority, the new guidelines will make the task more manageable, and therefore increase compliance. The article then mentioned that these new efforts to increase compliance come at a time when the effectiveness of the PCI DSS is being questioned based on recent security breaches such as that at Heartland Payment Systems. The article mentioned that a spokesman from the PCI Security Standards council had said that there wasn't anything wrong with the standards. However, if that's true, it raises a bigger question - why are the breaches still happening?

One possible answer, the one I alluded to at the beginning of the post, is that breaches are still happening because self regulation isn't an effective means of influencing behavior. I think that position is probably too extreme - merchants do care about the PCI DSS. However, the fact that there is a perceived need for the current compliance campaign, and the fact that massive breaches like that at Heartland keep happening indicates that something needs to change. Maybe what that is is to add a dose of federal government enforcement power to the supposedly sufficient requirements of the PCI DSS.

Hannaford Data Exposure Suit

In a development that can be expected to surprise no one, yet another merchant has announced that a security breach has resulted in the exposure of consumer data. The breach is described in this article from Computer World, as well as this article from the E-Commerce Times. The basic outline of the story is that Hannaford Bros. Co., a Maine based supermarket chain, had their servers compromised by malware which ended up leading to the exposure of somewhere north of 4 million debit and credit card accounts. Now that the breach has surfaced, the inevitable class action suits have been filed in federal court in Maine. While I don't have the facts necessary to comment on the merits, there are a few aspects of this case that could set it apart from the run of the mill data exposure suit. First, according to the E-Commerce Times article, nearly 2000 cases of fraud have been traced to the breach. This, obviously, be helpful to the plaintiffs, as it will help show actual damages, which have often been a stumbling block in similar cases. The second interesting aspect of this case is that Hannaford, rather than being a poster child for bad security practices a la TJX, was apparently in compliance with the PCI standards when the breach took place. This, obviously, could be helpful to the defendants, who could use their compliance with the PCI standards to rebut charges of negligence.

In any case, as I mentioned previously, I don't have the facts necessary to comment on the merits of the case. However, it seems that there are things to be said for both parties, which could make this an interesting case which could help provide guidance for both plaintiffs and defendants in future data exposure cases.

Merchants Challenged to Comply with PCI Standards

As a follow up to the prior blog post, recent reports from VISA USA illustrate the Faustian choice many merchants are faced with when considering what to do about the requirements for PCI -DSS compliance. Former Level 4 merchants had until September 30, 2007 to demonstrate compliance, with non-compliance carrying stiff penalties. However, the complexity of the standards and the expense of overhauling IT practices have caused many merchants to decide to accept the fines rather than to incur the expense. This is an unfortunate development for the cause of privacy professionals and others who have been advocating tighter security standards as the best preventive steps against data security breaches. The President and CEO of VISA, Philip Coghlin, recently indicated that only 20% of VISA merchants are PCI-DSS compliant. But he also indicated that the industry was advocating even tighter security standards. Such an approach ignores the potential merchant noncompliance with the security standards may have on consumer trust of e-commerce. If the standards are difficult to comply with so that compliance is lagging, consumer confidence in the electronic delivery system could erode. article

Focus on Data Retention, Storage and Destruction

Merchants with customers in Minnesota have another reason to step up their efforts to comply with the PCI Data Security Standards. A new Minnesota law, the first of its kind, imposes strict liability on merchants for costs incurred by financial institutions associated with a card security breach. Effective August 1, 2007, the Plastic Card Security Act bill requires that merchants with Minnesota residents as customers must have implemented Requirement 3 of the PCI security requirements. Requirement 3 prohibits storage of "sensitive authentication data," which includes magnetic stripe data, card validation codes, PINs, and encrypted PIN blocks. The law requires destruction of all such data immediately following a transaction. The provisions imposing strict liability take effect August 1, 2008. Similar bills are pending in the legislatures of California, Texas, Illinois, Connecticut and Massachusetts, and could very well be the next wave of data security legislation. Meanwhile, other efforts are underway to assist companies who must store sensitive business data. Computerworld reports on software that is being developed which takes critical data and cuts it up into anywhere from four to 128 "slices" that can be sent and stored securely in one or more locations. Computerworld Such software would be helpful for companies who need to better secure remote users, or for banking companies where long-time and easily retrievable storage of customer data is essential to their business. Clearly, recognition that proper data retention,storage and destruction is key to prevention of security breaches is finally getting its due.