On March 31st the House of Representatives Subcomittee on Emerging Threats, Cybersecurity, and Science and Technology held a hearing on the effectiveness of the PCI Data Security Standards.  Video and documents from the hearing are available here. The question of the day was whether or not PCI DSS actually prevented computer crime.

I started watching it a bit late and along with a number of other security professionals who were interested in the hearing.  As we listened to the hearing quite a few of us made comments about our thoughts on Twitter.  I really enjoyed seeing what other people were thinking and what their thoughts were.  Some comments led me to things that I hadn’t considered.  Others showed that I was having similar thoughts as others.  All in all, it was really cool to participate in such dynamic conversation with people that I’ve never met.

So what were my thoughts on the hearing.  Honestly, my first reaction was that Congress was feeling a bit jealous that someone came up with a body of requirements that were actually getting action from companies.  Perhaps that’s a bit cynical, but I’m always a bit wary about the posturing that goes on in Congress.  By the time I got onto the video feed there were only a couple of members of Congress actually left at the hearing.  I did arrive in time to watch Ms. Rita Glavin, Acting Assistant Attorney General, give her testimony.  In general she touted the successes of law enforcement in breaking up some of the criminal activities conducted online.  One comment that she made really stuck out to me.  She made the point to say that systems need to be continually tested to make sure defenses and the standards were effective.  I really agree with this statement.  Without testing, how do you know your defenses are actually effective?

Ms. Glavin also stated that the standards of PCI were a good bottom line, but that they weren’t enough.  I have limited experience with PCI but so far its been that companies are looking for the bare minimum and see PCI as a ultimate standard for security.  So while Ms. Glavin feels more needs to be done to increase the effectiveness of companies security, business sees it as the destination.  That’s probably an over-generalization of the attitudes of business, but its been my experience so far.

Next a panel of four individuals were called up to represent the private sector.  They were Robert Russo of the Payment Card Industry Data Security Standards Council, Joseph Majka of Visa Inc, Michael Jones of Michaels Stores Inc, and Dave Hogan of National Retail Federation.  They each gave opening statements in which they stated their opinions on the effectiveness of PCI DSS.  It became very apparent that there were two different camps at the table.  Not surprisingly, Mr. Russo and Mr. Majka came out strongly in favor of the effectiveness of PCI DSS.  Statements like “there has never been a breached company that was in compliance at the time of the breach” and “no doubt that complaince with PCI standards are an entities best defense against breaches” were made.  Sounds like a resounding success.

Not so fast, say the next two panelists.  Mr. Jones and Mr. Hogan wasted no time in going after the PCI standards.  In their opinion the PCI was too hard to implement, too complex, too ambiguous and too expensive.  They pointed out requirements to store card holder data for things like returns and chargebacks.  Mr. Jones went as far as to say that he wished PCI made him feel secure.

The questions and statements went back and forth for a while.  Those in favor of PCI’s effectiveness disputed the requirement to store card holder data, while those against it were adamant that it was required.  The retailers hated that encryption was not supported by the acquiring banks, but required for transactions with customers.  In their opinion the encryption should be required through out the process.  Mr. Russo from PCI came out strongly against encryption throughout the process because it was too expensive.

Here are some of the things that stood out to me:

• No one had any metrics to support whether PCI standards reduced payment card fraud.  Congreswoman Clarke zeroed in on that lack pretty quickly and got kudos from me for it.
• Encryption is too expensive to implement through out the process?  Time to throw a flag here.  The PCI standard requires encryption in transit when dealing with the customer and when storing card holder data.  What’s so expensive about encrypting it internally and on the way to the bank?  They are probably already using SSL for web transactions.  Use it for internal communication and for transactions to the acquiring banks.  Though apparently the acquiring banks do not support this.
• The requirement to store cardholder data appears to come from the acquiring banks and not from PCI.  In fact, one Lucas Zaichkowsky pointed out that Visa has had a compaign to inform companies about the risk of storing cardholder data.
• If PCI standards are not helping, then what were the merchants doing before that was so effective?  My thought is that very little was probably being done and the merchants don’t like PCI because it makes them do more.  And yes I agree, going through a PCI assessment sucks.  It still seems to get some companies doing something instead of pretending they were doing it.
  
• Where the heck was someone from a acquiring bank?  PCI standards appear to require one thing, the merchant banks seem to require something else and the merchants themselves are caught in the cross fire.  Why wasn’t someone from the banks there to get grilled too?

Overall, the hearing seemed like a big blame session.  The PCI guys were saying that PCI works and when cardholder breaches have occurred, their forensics found that the merchant wasn’t actually in compliance.  The merchants are saying PCI doesn’t work and costs them too much money.  I don’t know what they’d propose to do instead, but they were very clear about their dislike.  My thought is that PCI isn’t a silver bullet, but at least it gets companies off their behinds and gets them doing something.  Here’s a standard that has some teeth to it.  “Do this or we will cut off your ability to process credit card transactions.”  It hits companies clearly where it hurts them the most, right on the bottom line.