PCI, POS and RTH (Road to Hell)

Published: by

Two interesting events came to light in the last week for me. First, I am working on getting a company towards compliance with the Payment Card Industry Data Security Standards (PCI-DSS or just PCI). These are the standards that govern the technology and processes you use to protect data when you handle credit or debit card transactions. An auditor checks your questionnaire or audits your systems and people, "recommends" changes if necessary, and then issues a PCI certification, which must be renewed each year. Despite the fact that the company itself never touches sensitive data such as card numbers or expiration dates or security codes, it still is subject to PCI for 3 reasons:

  1. Optics: Its Website is where consumers go to pay, even if they are then sent to a standard payment service. If consumers do not see the "PCI Secure" logo, they may be reluctant to use the service.
  2. Sales: If the company does not have the certification, vendors may be reluctant to sell through them.
  3. Indirect touch: Despite the fact that they don't touch data, their Website does send consumers to a payment site. If their Web site is subtly hijacked, it could send customers somewhere unsafe.

Given the circumstances, I happen to agree that all such services should be subject to PCI certification, despite the headache and ongoing expense. The key phrase here is, "given the circumstances." More on that in a moment.

The second event is more point of sale (POS) breaches. POS are the systems used (surprise!) at the point of sale, where you swipe your credit or debit card or pay by cash. These systems are highly networked to link your sale to the payment processors, the retailer's inventory system, their marketing analytics, etc., as well as support. You may also recall POS as the system that was compromised in last year's massive Target stores breach. They came in through the HVAC (heating, ventilation, air conditioning) systems and networks, but it was the POS they infected to steal all of the card numbers.

According to this NakedSecurity article, ISS, a major supplier of POS systems uses remote access to log into point of sale systems and provide maintenance and support. This is not uncommon in many systems, from routers to servers to, well, POS. After all, it would be prohibitively expensive for ISS to send individual technicians onsite to every place there is a card swipe machine, from the dozens in a Target store to the single one in a small curio shop in a small town in the Massachusetts Berkshire mountains! The problem, of course, is that each remote access may be subject to breach, provides another area of potential weakness, what is called a "attack surface." And sure enough, ISS apparently was less than diligent in securing its remote access, providing a door to hackers, who just read card numbers as they were entered or swiped.

Once again, I am reminded that the entire edifice of payment cards is broken. Payment cards are a plastic version of checks / cheques, a paper or plastic or electronic authorization to withdraw or "pull" from someone's account, in the hope that they will only withdraw the approved amount. This structure means:

  1. Anyone with sufficient account information - like a credit or debit card number - can withdraw funds from your bank or credit account; therefore:
  2. Every time you give those card numbers to someone - Target, your cable company, Swiss Airlines - provides an opportunity for theft, another attack surface; therefore:
  3. We expend enormous amounts of effort and treasure trying to protect every single one of those systems.

An edifice built on sand will constantly require more and more supports and effort to keep it from collapsing entirely, let alone actually standing upright. An edifice built on concrete drilled into the bedrock will stand for a very long time indeed.

In the age of electronic communications, it is time to discard the entire edifice of authorizing a vendor to withdraw or "pull" from my account if only they have sufficient secret information. All transfers of funds to someone else, like a retailer, should be "push" only. I, and only I, go to my account location - credit card provider, bank, savings & loan, whatever - enter the seller's account information and the amount I want to send, and it goes instantly. Not in 2 business days like an ACH transfer; not in 1 business day like a wire transfer; but in seconds. This is the only way to bring sanity back to the payments process. Once this is done:

  1. Go ahead, let everyone know my account. Breach your systems. I don't care! The only thing you will be able to do with my account information is send me money and not take money from me.
  2. If I no longer have to worry about the confidentiality of my account, 98% of PCI goes away! It is hard to overestimate how much PCI is costing industries worldwide year after year. The security auditors, or QSAs, are making a mint providing a service that is currently necessary but could go away. Vendors are expending untold sums adding protection above and beyond what is necessary, e.g. encrypting account information in databases, and, as we can see, it still is not enough.
  3. I no longer need to carry around lots of cards. I can have 0, 1, 2 or 20 accounts without needing the card.

Unfortunately, lots of businesses will, inevitably, go out of business. So be it. As Frederic Bastiat showed in the 1800s, let people spend their money where they find best. These still can be credit and debit accounts; I can push $100 to Target using a specific account that gives credit, collects end of the month, and gives miles. Or I can push using my regular old checking account. But it is high time that the entire infrastructure built around authorizing a seller to pull money from my account joined the horse and buggy in the quaint dustbin of history.