Many are complaining that the Payment Card Industry Data Security Standard (PCI-DSS), that industry’s self-regulation for safeguarding cardholder information, lacks teeth.
Critics claim that merchants who accept credit card transactions aren’t moving fast enough to secure their systems, arguing they suffer nominal penalties (fines, added fees or transaction suspensions) for failure to comply. This is further validated by Visa’s own December statement that only one-third of the largest merchants are PCI-DSS compliant, with smaller businesses even further behind. Several industry reports are already telling us that most websites are insecure, but what this also tells us is no one knows where the vulnerabilities are. Well, except the bad guys.
In my opinion, the payment card giants (Visa, MasterCard, AMEX, Discover, etc.) acquiring banks (credit card issuers), and merchants really don’t want credit card numbers spilling out all over the web. It costs them a lot of money when incidents occur. Payment brands lose money when consumers lose confidence and slow their online spending. Acquiring banks must cancel and reissue cards and notify cardholders in writing. Merchants have to deal with charge backs, field calls from angry consumers and possibly foot the bill for credit report fraud watch services. The cost of this clean-up easily starts out in the six figure range and can extend well into the seven figures. This leaves many in the industry scratching their heads and wondering why PCI-DSS hasn’t gained much traction. Maybe it’s the age-old rationale: the answer to 99 questions out of 100 is money.
Like the laws of the land, the impact of industry regulation is dictated by the capability to enforce regulatory law. Manpower and funding are required. Without resources available, laws and regulations don’t matter much. In the U.S., our roadways are maintained and kept safe, marked with street signs, lined with guardrails and patrolled by law enforcement with funds collected from drivers’ license and vehicle registration fees. The cost of enforcement is what drives adoption and someone has to cough up the cash. The question for PCI-DSS is: who?
To deal with this situation, credit card brands are transferring liability to the acquiring banks through PCI-DSS. The acquiring banks then push the costs of PCI-DSS compliance and validation of compliance onto merchants. However, if the costs (time and money) of PCI-DSS are too high, the merchants will ignore the standard and wait to see how the acquiring banks react. Will the banks fine or cut off merchants for lack of compliance? To my knowledge this hasn’t happened yet unless there is a massive incident involving the loss of credit card numbers. So the game of chicken between the brands, banks and merchants continues. Today we’re reaching a point of critical mass with credit card heists on the rise. More pressure is being felt by all parties to do something about the trend.
Up until 2006, validation of PCI-DSS compliance only required quarterly network vulnerability scanning, a service supplied by approximately 100 certified vendors. Typically, network scanning costs no more than a few hundred to a few thousands dollars, possibly rising as high as five figures. The network scanning market is mature, largely commoditized, and highly automated, enabling these low prices to exist. The problem is that most malicious hacker attacks are targeting the web application layer, not the network layer, so PCI-DSS had to be updated. Patching, firewalls and SSL alone were not enough to get the job done. The challenge is that web application vulnerability scanning is not so simple.
The price for the average quality web application vulnerability assessment ranges from about five thousand to fifteen thousand dollars per website. According to PCI-DSS, assessments need to be performed four times a year. All of the sudden, the same merchant that started out paying a few hundred to thousands of dollars faces tens of thousands per website in additional costs.
That’s the real dilemma moving forward, and a big reason why PCI-DSS enforcement is so challenging. The vendors who have been offering network scanning are only capable of delivering extremely limited web application vulnerability coverage. Due to costs involved with doing it right, those in control of the vendor certification have deemed it good enough. However, the reality is a network scan will simply not prevent the bad guys from breaking into a website. One could say that it’s not so much about the PCI-DSS or its teeth, but about which scanning vendors are able to get certified and using what level of service quality.
For PCI-DSS to be successful, the technology and process behind web application vulnerability assessments requires huge advancement in both scalability and efficiency. Until then, PCI-DSS will struggle and merchants will continue to push back. The ability to assess thousands of websites simultaneously with an infrastructure to manage the human expertise required is vital.
Jeremiah Grossman is CTO of WhiteHat Security.