Reliant Security experts share technology tips, retail industry insight, and other tidbits.
By Mark Weiner–Managing Partner, Reliant Security
In recent years, some have criticized the PCI standard as a failure. Pundits point to continued breaches of card data as evidence that the existing payment processing system should be replaced with a new, more secure one, and the standard abandoned. In an exercise I call the “PCI Blame Game,” blame is placed on various constituencies in the card-processing universe including the credit card brands, the merchant community, and card processors. But not only is the PCI Blame Game a futile exercise, it is harmful because it distracts from the important task of protecting the existing payment system.
The business problem
While there have been a number of well publicized issues with enforcement and implementation of the PCI standard, my opinion is that it represents the best available solution to a very thorny business problem—“how best to protect the successful and ubiquitous payment processing system that we all enjoy today with the understanding that is was never designed to operate in our interconnected world.”
ISO/IEC 7813 is the foundation
The logical foundation of the payment system is established in the ISO/IEC 7813 standard for payment cards. This standard, which includes specifications for magnetic stripe data, account numbers and verification values, was designed in the 1970s when the best standard for connecting card intake channels (POS systems, swipe terminals, etc.) with backend payment processing engines was a telephone line. At that time, there was no Internet, no TCP/IP stack and very few high-speed networks. To their credit, the architects of the payment system developed a set of standards that offered maximum scalability and redundancy based on the best technologies of their day. Things worked well and the system expanded throughout the 1980s and early 1990s.
THEN THE INTERNET HAPPENED and things really took off. No one; not the merchants, the processors, the card brands nor consumers, complained when the card processing system leveraged the limitless connectivity of the Internet to eliminate billions of dollars of transactional friction in our economy. Payment industry insiders made fortunes, and consumers benefited from the convenience, cost savings, and program rewards that came with the use of their payment cards.
The price we must pay
In my view, the current challenges with payment card data security are the price we must pay to enjoy the benefits of this aging, but highly effective system. As with any technology platform, the system can and should be improved with new technologies like “chip & pin” or smart cards, but this will take time and bring its own costs. In the meantime, the cost of implementing PCI, at least on a macro-economic scale, is small in comparison and makes sense for businesses and consumers. Unfortunately, the costs are not evenly distributed and this will be the subject of my next blog.
Change is difficult because of existing standards
Since the technology exists to implement a new logical foundation for electronic payments, what are we waiting for? The problem again boils down to the power of standards. An entire market has developed around the current ISO/IEC 7813 payment-processing framework. Getting an entire market to shift to a new standard is challenging–likely impossible–for the foreseeable future. Examples of how difficult a transition to new standards can be is evidenced by two antiquated standards that continue to dominate our lives and culture today – the English system of weights and measures and the Microsoft/Intel x86 (“WinTel”) standard of personal computing.
You may recall that in the 1970s the U.S. tried to convert to the metric system. This conversion made sense since it is used by far more people globally than the English system. The government forced schools to teach children about the new system, and spent millions of dollars promoting it to consumers and businesses. But the English system proved to be too ubiquitous in our society, and conversion to the metric system never happened.
My other example is the aging WinTel standard for personal computing that was developed in the 1980s. The standard still dominates nearly 90% of the world’s personal computers despite the existence of superior technologies such as Macintosh. Like the payment system, the WinTel standard was not designed for the interconnected world of 2009 and suffers significant security issues. It continues to be retrofitted and patched to deal with security vulnerabilities its designers could never have imagined. Only now, with the advent of free operating systems like Linux, are we starting to see cracks in the foundation of Windows dominance. But they are just cracks, mind you!
The existing payment system is here to stay
Back to the payment system–it too is ubiquitous and has bought huge benefits to business and consumers. It too is showing signs of age. Tens of millions of swipe terminals have been deployed to service it, and nearly every business in the country touches it. The credit card pocket in my wallet was designed around it. The current payment system is entrenched; so don’t count on changing it anytime soon. Like it or not, we are stuck with this system, and with the challenge of securing it. It is the price we pay for the benefits we get from continuing to use it. Playing the PCI Blame Game is a useless exercise; a bit like blaming all criminal activity on the U.S. government because the Federal Reserve prints the money that criminals attempt to steal.
Next…
In my next blog, I will explore why the costs of protecting the card system appear so unevenly distributed. Also, I will look at data security technology providers—a community that has managed thus far to skirt the swirling controversy around PCI.