Skip to main content

Re-Designing PCI

I'm by no means a PCI expert, but I find the area of great interest and not just because it gets companies buying two-factor authentication systems (and current customers to update ;). It is a fascinating market to analyze.

At the top is the PCI Council: American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.. They are ultimately responsible for maintaining trust in the system. At the end of the day, the credit card system won't be replaced any time soon, so really what they are trying to do is to limit any attempt at external regulation. Further, they are regulating their customers. If they are too strict, their customers will get upset. In this post, I highlight three issues that have come to my attention recently and make some suggestions on fixing them.

1. There are agency issues as discussed in a previous post. In sum, the QSAs are paid by the companies they audit.

2. There is an incentive to only do the minimum.

We recommend that customers deploy a 3rd party Radius server between WiKID and their VPN. For example, for Microsoft shops, we recommend using the MS radius server IAS to proxy authentications from the VPN to WiKID. IAS first validates the user's group membership in AD. This simple extra step makes de-provisioning more secure. You only have to disable the user in AD and they no longer have access. Unfortunately, we have had situations where the admins configure the VPN to talk directly to WiKID primarily because they are under the gun because the auditors are already in house.

So, the company is more secure because they have two-factor authentication, but not as secure as they could be because the spec is not focused on optimization.

3. The process of how the specification is improved is not optimized.

Some argue that the PCI specification does not move fast enough to combat the attacks against credit card systems, that PCI-DSS is a game of catch-up. Indeed, what is the incentive for organization to suggest anything that increases the requirements on them? I would bet that the security preparedness at PCI firms is distributed in a normal fashion. A certain percentage of firms invest in security, see it as a key differentiator and excel at it. The trick is to give those organizations credit for their trail-blazing efforts while encouraging the other firms to adopt their strategies.

The current fines provide the incentive to meet the minimum, but some system is needed to incent companies to exceed the minimum. I would suggest an 'extra-credit' point system. Companies can earn extra points for going above and beyond the minimum. The PCI Council can suggest a set of extra-credit points or, even better, firms can suggest what they are doing to exceed the specification. If accepted as extra-credit, the suggestions can then become part of the life cycle process.

QSAs could score their customers. These extra-credit scores would be known only to the QSA and the PCI powers that be, allowing a more honest feedback from the QSA. Customers could also score their QSAs anonymously, creating some balance (though collusion is possible). 

I also suggest that the PCI Council implement random audits, paid for by the PCI Council. Random audits would not have to be done very often to be highly effective. They should at least do random network scans and possibly penetration tests.  These random tests would help offset the potential for collusion between QSAs and their clients.

Finally, there needs to be some incentives to earn the extra credit points. The fines for being out of compliance help maintain the minimum. What you don't want is organizations reducing their security efforts to meet the compliance standards. The best way to do this is to reduce the processing rates for entities that consistently exceed the PCI-DSS requirements. After all, that is where the costs of fraud go. I'm not sure why Visa, Amex & Mastercard haven't increased fees instead of issuing fines, except that there is great sensitivity regarding pricing in a oligopoly. There are other incentives that could be used. For example, Level 1 organizations might be able to self-assess after earning enough points.

These are just some suggestions around a highly complex issue. I look forward to hearing more PCI discussions at Shmoocon.

Current rating: 1

Recent Posts







RSS / Atom