Every so often it’s useful to sit back and reexamine a subject from a 40,000 foot perspective. In the last six to eight weeks, three unrelated items have caused me to do just that as I think about security issues in the payments card arena, never an easy subject even in the best of circumstances. Event number one was the March publication of Verizon’s annual PCI Report, which showed, once again, that even firms who did relatively well in their annual examination could not maintain PCI compliance over a longer term. Event number two was a March 11th blog post by BankInfoSecurity’s Executive Editor Tracy Kitten in which she asked the question: “What are the card brands going to do to ensure merchants are secure and breach-related losses and expenses are covered?” Event number three was not even directly related to payments – it was a published report that Anthem Blue Cross – which recently suffered a major data breach affecting 78.8 million people – was unwilling to allow the U.S. Government’s Office of Personnel Management’s Office of Inspector General (OIG) to perform “standard vulnerability scans and configuration compliance tests” this coming summer, after having refused the OIG that same permission in 2013. ((Anthem Refuses Full IT Security Audit,” HealthCareInformationSecurity, March 3, 2015))
Let’s take these three items in order. Verizon did have some good news to report and the company’s 2015 PCI analysis showed improvements in compliance for many areas. For example, compliance improved for eleven of the twelve PCI DSS requirements (the average improvement was 18 percent), and those improvements continue a long term trend. However, the single area that declined was an important one, requirement 11, testing security systems. Verizon found that only 33% of firms met that requirement in 2014, down from 40% one year earlier.
Much more disturbing to me were two additional headline findings from the report: first, four out of five (80 percent) of firms who had passed a PCI exam were NOT compliant six months later at their interim evaluation (see Table 1, below). Second, just 28.6 percent of companies with a successful PCI validation were still compliant one year later. Although both of these statistics were improvements compared with past performance, they tell a chilling story about real world merchant security and the inability of most firms to move beyond a compliance check list mind set toward a culture characterized by the pursuit of continuously successful security hygiene. In a world where security breaches make headlines with regularity, this is a very troubling reality.
This state of affairs has been acknowledged by the card brands, most recently in late March, by Ellen Richey (Visa’s Security Chief) at a conference in Washington, D.C. Richey noted that among the most common problems are completing relatively basic steps such as changing default device passwords (maintaining default passwords makes it easier to put malware on a device). How big a problem are default passwords? Trustwave’s Charles Henderson gives one perspective using VeriFone POS devises as an example, noting that VeriFone has had a well-documented default password since at least 1990. Henderson says that when TrustWave does a POS audit, “90 percent of the VeriFone card readers we test have that [default] password, and that’s just one vendor, and that’s just one example.” ((“Why POS Malware Still Works,” BankInfoSecurity, 3-24-15))
Against this portrait of so many firms seemingly unable to maintain even basic elements of payments security, it’s difficult for me to interpret an increasing number of merchant statements questioning the value of chip card/EMV implementation at the point of sale. For example, The Merchant Advisory Group’s VP, Liz Garner, spoke recently about EMV implementation saying, “what’s the point in implementing this now when the methods are likely going to be changed again?” Implementation, she said, would be, “extremely costly, extremely disruptive and extremely complex across the board. With our folks there is a lot of uncertainty of its value, because of the availability of other types of technology that are better.” ((“Bankers Frustrated by Retailers’ Foot-Dragging on EMV Upgrades” American Banker, 3-29-15))
With that perspective, let’s look at the issue Tracy Kitten raises in her March 11th blog. Her question about why regulators aren’t challenging card brands to help merchants stay secure and cover any breach related expenses was raised in the context of what the blog suggests is a “broken payments infrastructure” that the card brands are seeking to prolong. So, is the payments infrastructure broken? We all understand that the payments infrastructure is in a period of rapid transformation. No one, not the card brands, not banks, not merchants, not regulators, believes that the legacy magnetic stripe environment at the point of sale is sustainable, or that online payments security levels are near adequate to deflect a coming storm. Everyone understands, given the whack-a-mole nature of fraud, that as mischief at the physical point of sale is reduced it will move to the online and mobile environments – and everyone understands that as payment mechanics in general are improved, fraudsters will look for other ways to exploit the payments system, as they have already with registration fraud on Apple Pay. Given the observations of TrustWave, Verizon and others, it seems clear to me that far too many merchants have not yet embraced a full commitment to achieve an adequate threshold level of digital payments security no matter what tools are available. And the retail community is not alone. ((“Anthem Refuses Full IT Security Audit,” HealthCareInformationSecurity, March 3, 2015))
In early February, Anthem Blue Cross reported that it had suffered a major data breach, perhaps (according to Adam Krebs) beginning as long ago as April 2014. This breach exposed customer names, dates of birth, social security numbers, health care IDs, home addresses, email addresses, employment data, and even income data. The breach affected more than 79 million people, both current and past customers dating back to 2004. So it was a considerable surprise to read on March 4th that the U.S. Government’s Office of Personnel Management’s (OIG) had been denied, for the second time, after requesting it be allowed to complete a limited scope audit. An OIG spokesman was quoted as saying:
“What we had attempted to schedule for the summer of 2015 was a sort of ‘partial audit’ – what we call a ‘limited scope audit’ – that would have consisted only of the work we were prevented from conducting in 2013. So this is the second time that Anthem has refused to permit us to perform our standard vulnerability scans and configuration compliance tests.” ((“Anthem Refuses Full IT Security Audit,” HealthCareInformationSecurity, March 3, 2015))
Anthem’s unwillingness to engage constructively with its customers about its internal IT security effectiveness is disturbing. Any bank doing business with Anthem that had agreements meeting OCC and FFIEC contractual standards would have a clear right to audit and access to the company’s own IT audit reports. Anthem’s attitude is one more indication that too many companies don’t yet accept what’s required to maintain proper security hygiene in today’s environment. And with the kind of PII being stolen in this and similar breaches (for example, Premera Blue Cross) it will be easy for fraudsters to establish an ever increasing number of synthetic identities, which are difficult for FIs (and others) to detect and defeat.
If firms across the economy are finding it so difficult to protect their customers from the consequences of unwelcome intrusion, can PCI ever result in a significantly improved security environment? Increasingly, I’ve come to the conclusion that consistent PCI compliance is beyond the real world ability of too many retailers and, therefore, is unlikely to result in material improvement without a different enforcement regime. I believe more rapid evolution of our payments infrastructure is essential to achieve step function security progress across all payment channels. So from 40,000 feet, here is my own sense of some required steps, all in the spirit of devaluing payments related data, sorted by stakeholder:
- Move away from chip and signature EMV and require online Chip and PIN.
- Mandate end-to-end encryption.
- Set a firm sunset date for magnetic stripe card issuance/replacement.
- Require tokenization in-application and online.
- Work with all payments stakeholders to develop a more open payments Tokenization standard.
- Require dynamically authenticated customer payments registration.
- Embrace online Chip and PIN.
- Speed EMV Card Issuance.
- Sunset magnetic stripe card issuance/replacement.
- Speed EMV Acceptance.
- Adopt EMV tokenization specification now, and in parallel work with all payments stakeholders to develop a more open tokenization standard.
- Devote substantially more resources to improving digital payments security; recognize incremental expenses as a basic cost of doing business.
- Encourage development of an open payments tokenization standard.
- Examine all payments stakeholders, including, selectively, merchants. The Consumer Financial Protection Bureau (CFPB) would have the authority to perform payment security related merchant examinations, perhaps against a set of PCI derived requirements. These examinations could help to establish a more effective enforcement regime and better motivate substantially improved and sustainable security hygiene.
Does PCI have a role going forward? Because the standard is perhaps the industry’s best payments-specific security framework, PCI should not and will not go away. And the PCI standard seems the best basis of a merchant payment security regulatory examination protocol, perhaps administered by the CFPB.
I believe the industry has to fundamentally devalue the payments data fraudsters seek across all channels, much more quickly than I might have expected even six months ago. That will require taking steps, such as sunsetting magnetic stripe card acceptance, sooner rather than later, and will require a degree of collaboration among payments stakeholders that we have not seen in some time.
For more than 35 years, Santa Fe Group Senior Advisor, Gary Roboff, contributed his outstanding talents to the financial services industry, and in particular to financial services payments systems. Gary has focused on such issues as privacy and information utilization, business frameworks, changes in the payments and settlement systems, and standards for emerging e-commerce applications. He has chaired the Electronic Funds Transfer Association (EFTA) Board of Directors and was a founder of the International Security Trust and Privacy Alliance (ISTPA), serving as Vice Chair of its Board.