PCI Is Meaningless, But We Still Need ItPCI Is Meaningless, But We Still Need It

The Heartland Payment Systems breach demonstrates that PCI is bunk. Unfortunately, unless something better comes along, bunk is better than nothing.The PCI compliance program is like a Zen koan: it's a proposition that can't be understood rationally. Unlike a koan, however, pondering on PCI won't eventually lead to higher awareness. It will just drive you crazy.

Consider this statement from Visa regarding PCI assessments. Assessments "do not guarantee that those security controls remain in place after the review is complete."

In other words, a company is only compliant with PCI's security standards during the time of review. Once the assessors leave the building, all bets are off. So, PCI wants to enhance the security of payment account data, but it will only validate that enhancement within the limited time period of a review.

I believe PCI was constructed this way for two reasons. First, it absolves the assessors and the card brands of any liability should a compliant company get breached. The issue of liability is critical, because breaches attract lawsuits the way roadkill attracts crows.

At present, PCI allows Visa and the other card brands to impose their will on merchants and card processors without having to assume any of the risk that the standards they impose have weaknesses or flaws, or that merchants and processors are actually following those standards outside the limited time period of an annual review.

Second, the PCI program lets the card brands demonstrate that they are policing the industry, so as to stave off government regulations.

In effect, the card brands take a paternal approach to data security without actually taking any responsibility the way a parent should.

It's like giving a kid a set of rules, and then leaving the kid alone for a year. You check up on the kid every June. If the house is relatively clean and he's had a bath recently and is consuming something other than Fruit Loops and beer, you pat him on the head and say "Good job. See ya next year!"

Then the house burns down. Child Services shows up and says "Hey, what happened?" You say "Well, we told him not to play with matches. It was in his rule book. Not our fault."

If PCI actually reduces the risk of card data theft, that's a bonus for the card brands, but as far as I can see, it's not a major goal in the construction of the PCI program.

That's why I'm really curious to see how the Heartland mess shakes out. What if data was being stolen at the exact time Trustwave Systems, Heartland's assessor, was signing off on compliance?

One, it would be very embarrassing to Trustwave and PCI. Two, it demonstrates that even if a company is doing everything it is supposed to, breaches can still happen.

And this is my major beef with PCI. No security program or practice or technology is invulnerable. Smart, well-run organizations can still get whacked by clever or lucky criminals. We understand that stuff happens.

The main goal of a program like PCI should be to reduce risk. But as it's currently constructed and implemented, any risk reduction that occurs is a second-order effect. PCI's primary goal is to cover the butts of the card brands. That's not fair to the organizations compelled to comply with PCI, and it's not fair to consumers.

Unfortunately, we also are faced with lots and lots of organizations that either don't know how to reduce their risk or don't care to. These organizations require third-party impetus to get their heads out of the sand. PCI provides the stick necessary to get organizations moving, and offers a remedial framework upon which they can build.

So until and unless something better comes along, we're stuck with PCI.