WASHINGTON — The banking industry's fundamental standard for protecting payment card data may not be enough to fight fraud.
The major card networks have long urged merchants to adopt the Payment Card Industry data security standard, but now that most big retailers are in compliance with it, observers are beginning to shift their views on what is needed to thwart fraudsters.
Instead of holding out PCI compliance — a credential that holds the promise of protecting payments networks from the determined hackers of the world — as the goal, security experts and payments executives now see PCI as a starting point and are urging people to go beyond its basic requirements.
"The awareness of security principles, even if it's a basic awareness, is absolutely encouraged by the PCI process," said Dan Kaminsky, the director of penetration testing for IOActive Inc., a Seattle security consulting company. But "PCI is not the universal grand answer to everything."
Validating that a company's systems satisfy PCI requirements does not mean they are invulnerable, he said during a panel discussion at Visa Inc.'s 2009 Security Summit here last week.
The subject of compliance generated plenty of buzz at the event in light of the breach that Heartland Payment Systems Inc. disclosed in January; the Princeton, N.J., processor had passed a PCI assessment last April, and the incident has raised questions about both Heartland's security procedures and the PCI format.
Ellen Richey, Visa's chief enterprise risk officer, said in a speech that the Heartland breach was probably due to a "lack of ongoing compliance and ongoing vigilance in maintaining security."
Though she would not elaborate on how Heartland's defenses may have been defeated, she said in an interview that, "in general, what happens is, the validation is just a point in time and also it's limited in scope."
Demonstrating compliance for an assessment is only the beginning, she said. "You have to look at the logs. The fact that an assessor came and told you you're in compliance because you have a scanner and you have a process for reading it doesn't tell you that somebody actually read it day after day."
Once the procedures are adopted, "they have to be executed."
Visa said at the event that 90% of the biggest U.S. merchants, those it categorizes as Level 1 and Level 2, are now PCI-compliant, and it also discussed new security procedures that go above and beyond the standard's requirements.
Though the main goals of PCI are preventing intrusions and blocking criminals from stealing payment card account data, Richey said Visa and some partners are evaluating techniques to make stolen data useless to hackers.
"In terms of the volume of work, there's probably more being done on the prevent side," she said, "but in terms of the value and the innovation, we're going to need to do it on the making-it-useless side, and there's a lot going on."
Visa this month removed Heartland from its list of PCI-compliant companies. Heartland spokeman Jason Maloni wrote in an e-mail Monday that his company expects to be reinstated in May.
Since announcing the breach, Heartland has been pushing for end-to-end encryption to protect card data as soon as a card is swiped at the point of sale, which is not required by the PCI standards. "Full end-to-end encryption is a measure that would exist on top of PCI compliance," Maloni wrote.
Richey said Visa is also pushing for new encryption applications, some of which would make certain elements of the PCI requirements unnecessary.
However, she also said that encryption "is not going to solve the human issues" regarding PCI compliance. "Encryption would not have prevented the breaches that we've seen," she said.
Visa is also trying to address a longstanding notification issue.
Richey said that Visa could not give e-commerce merchants and alternative payment providers a list of stolen account numbers, which many have requested, because sharing this information runs counter to its goal of preventing the spread of that information. However, she said Visa is developing a special risk score for online merchants that includes "recent information" about its accounts. She would not say whether this means merchants would be explicitly told that a card account being used for a purchase had been exposed in a breach.
(Merchants have complained that they are not notified about compromised accounts, letting them complete transactions when other parties in the payments chain know they are probably fraudulent. At Visa's 2007 Security Summit, eBay Inc.'s then-chief executive Meg Whitman said, "When data breaches occur, acquiring banks and issuing banks do not notify or share that information about exposed cards." As a result, merchants "are tremendously disadvantaged.")
Visa is testing other security measures, such as improved challenge question formats and a technique to "fingerprint" the magnetic stripes on payments cards that could help spot cloned cards.
Avivah Litan, a vice president and research director at the market research company Gartner Inc., said in an interview that PCI "does raise the bar. It gives the security departments an excuse to get more in budget, which is always good. It makes people more aware of their vulnerabilities. The problem with it is not so much the standard but the enforcement process."
Litan stressed that the issues with the enforcement process do not invalidate the PCI standard itself. "You have to separate the discussion on the standard from the enforcement," she said.
She praised Visa for acknowledging this, and for encouraging merchants to go beyond PCI, because in the past its message was focused on bringing noncompliant merchants into compliance. "It was good to hear Visa recognize that they've got to move beyond the current system and strengthen the security, and that they can't really rely on PCI to do the job," she said. "Their position was much more clear at this conference than it's ever been."
Kevin Mitnick, a well-known hacker-turned-security-guru and founder of Mitnick Security Consulting, said during a panel discussion at the summit meeting that many merchants who adopt PCI "just do it for the compliance."
He advised merchants to avoid the snapshot mentality of ensuring compliance only when necessary for a PCI assessment.
"Once they have a snapshot of what their security posture is, then they just do nothing," he said. "They just wait until the next testing period and then shore up their defenses then."
