Monday, April 6, 2009

PCI Hearing in Congress

Last week the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology held a hearing on the effectiveness of PCI.

You know that PCI has hit primetime when Congress is taking a look at it. But PCI's Washington debut didn't go as smoothly as the Council would have liked. As Anton Chavukin points out, PCI was ripped at by both the government and the merchants for opposite reasons - the feds think it's too little, and the merchants say it's too much.

I don't think that PCI is a perfect standard, but it is wrong to assume that every data breach of a PCI-certified entity signifies the complete failure of the standard. PCI has taken positive steps recently, including laying out a "Prioritized Approach" which should help make the standard more digestible for smaller organizations.

On the whole the problem with PCI is not so much that companies declared compliant are suffering breaches, but that companies are being declared PCI compliant too readily. Oh, and no one seems to know who is liable when this happens.

But the congressional hearing didn't really focus on liability and enforcement issues. The main theme from government was that PCI was broken and that the bar needs to be raised. Chairwoman Yvette Clark's prepared statement also singles out eliminating terrorist financing as a major reason - perhaps the most important reason - to eliminate the hacking of companies housing credit card data.

This is an interesting because there is a big difference between preventing data breaches in general and preventing data breaches that benefit terrorists. Let's assume for the sake of argument that preventing terrorists from committing credit card fraud is a major priority (although somehow I fail to see why credit card fraud - a crime with many digital footprints - would be their first choice). Doesn't that mean that the standard should focus on preventing the specific types of fraud that terrorists are most likely to commit? (For example, war driving is not really a concern if we are worried about people commiting fraud from foreign countries).

In practice I don't think that it makes sense to mix national security into the PCI discussion. I think the real debate about PCI is whether a having a technology-specific standard reduces the number of data breaches. As I have written in the past, most compliance - whether SOX, HIPAA, GLBA, or others - is so non-technical as to really not require companies to do anything specific. On the other hand while government regulation is good for establishing general principles, it has done a poor job when it starts to mandate specific technological solutions. So the government would probably do a worse job at PCI than the PCI Council does.

Industry tends to be wary of government regulation, and often with good reason. The congressional hearing included the statement that the only way to protect networks is by continuously pen testing them. This may or may not be true, but I am not sure that the government is best positioned to mandate one approach over another. A further indication of the entry of opinions being accepted as fact was the repetition by one of the congressmen of the oft-quoted yet ridiculous figure of $1 trillion dollars in cybercrime losses.

PCI is in very early days, and the one thing that wasn't even mentioned at the hearing (unless I missed something...) was the issue of assessor liability. If a PCI-compliant company is breached, shoudn't the finger first be pointed at the assessor to justify why they certified the company in the first place? Until assessors are somehow on the hook for the quality of their assessments (in the same way that an accountant is), one can't really blame the standard itself for failing to enforce itself.


  1. "I think the real debate about PCI is whether a having a technology-specific standard reduces the number of data breaches."

    Key point indeed: tech/prescriptive vs risk/outcome based.

  2. Thanks for commenting Anton. It's interesting that these two approaches weren't compared during the congressional hearing. The Committee seemed to be saying that the tech/prescriptive approach needs to be strengthened and enforced by the government, which would be a major change in the way that security regulations have functioned up to now.

  3. Ronald Reagan said that the nine most terrifying words in the English language are... I'm from the government and I'm here to help…. Now, I don’t understand a lot in American politics, but IMO, one can NOT use this committee as an example. On one hand, PCI is limited in scope (CC only) but then, the US economy runs on business that run on the internet, thus there’s a need to see PCI as a component of NATIONAL Cyber security solution. I call for greater enforcement and asking the committee as well as any other regulatory organization and actually anyone that care about real security to take an action.
    See also

  4. Despite the hearing, I don't think we are going to see any federal regulations any time soon that incorporate the main parts of PCI. When you read about "PCI being passed into law" in certain states like Minnesota and Nevada, this is primarily a regulation requiring some encryption of card holder data. Even on the state level there isn't any law that comes anywhere close to requiring PCI.