May 24 2010
I’m a big fan of tokenization and end to end encryption (E2E2). Never mind the fact that neither technology is fully developed, nor do we even have a real definition of either technology. The fact that both of these technologies have the potential to take credit card information our of the general merchant environment and gives the bad guys less reason to attack is enough for me. It won’t stop attacks against merchants all together, but it will cut down on the value of breaking in and therefore cut down on the number of attacks, at least in theory. It will also cut down on merchants’ responsibility for meeting with the PCI DSS requirements, since much of environment that the QSA’s have to review will now be out of scope. But without the threat of PCI (and potential fines/fee increases) will merchants keep up the minimum security safeguards that PCI mandated or will they revert to their old ways and ignore security for the most part?
One of the big questions that comes up over and over again is how effective is PCI in securing the merchant environment. And the answer is, no one really knows. Breach disclosure laws prior to 2003 were non-existent, and even once California passed SB1386 and got the legal ball rolling, breach disclosures have been spotty at best. Now that we’ve got some 40 states that have some form of breach disclosure law, the information we’re able to gather is much more consistent. Unluckily, we still lost the ability to have any real baseline to measure the success of PCI against and anyone who says that PCI is or isn’t effective is mostly going on their own anecdotal evidence, not hard data. Verizon’s Incident Metrics Framework may help in gathering statistics going forward, but we’ve already lost the data needed to measure the effectiveness of PCI. (Disclaimer: I work as a QSA for Verizon Business)
As tokenization and E2E2 take hold, we’re going to have another chance to see how effective PCI is in securing the merchant environment and whether or not merchants are really going to secure their environment without the threat of PCI hanging over their heads. There’s almost nothing in PCI that a shop with a good security program shouldn’t be doing in the first place. Firewall reviews, anti-virus, log monitoring, IDS, etc. are all safeguards that are mandated by PCI but are security measures that any good security shop should be putting in place for their organization by default. The fact that many organizations couldn’t get the funding for some of these tools until PCI came along is a measure of how hard it is to get the budget for security. And if organizations start losing the funding for these projects because tokenization and E2E2 have taken the majority of their systems out of the scope of PCI, we’ll know that PCI was the real driver for the safeguards, not any real concerns over security.
PCI is expensive. Security is expensive. Not necessarily because the tools are expensive, but because merchants ignored security for years and have had to spend a lot of money and time to implement the tools they should have been running in the first place. If they can reduce the scope of the systems they have to protect through new technologies and no longer have to be assessed on an annual basis, do you think they’re going to keep paying for the tools that they implemented just for compliance or do you think they’re going to let their IDS and log management tools fall by the wayside? I know that some of the shops I’ve seen will keep the tools and keep using them properly. But I think the majority of merchants are going to go back to their old ways and do the bare minimum that their security group can fight to keep. If your company’s marketing department depends on PCI to make sales, I’d be very afraid of tokenization and end-to-end encryption.