May 24 2010

Will merchants revert to their old ways?

Published by at 7:44 am under Encryption,PCI,Risk,Simple Security

I’m a big fan of tokenization and end to end encryption (E2E2).  Never mind the fact that neither technology is fully developed, nor do we even have a real definition of either technology.  The fact that both of these technologies have the potential to take credit card information our of the general merchant environment and gives the bad guys less reason to attack is enough for me.  It won’t stop attacks against merchants all together, but it will cut down on the value of breaking in and therefore cut down on the number of attacks, at least in theory.  It will also cut down on merchants’ responsibility for meeting with the PCI DSS requirements, since much of environment that the QSA’s have to review will now be out of scope.  But without the threat of PCI (and potential fines/fee increases) will merchants keep up the minimum security safeguards that PCI mandated or will they revert to their old ways and ignore security for the most part?

One of the big questions that comes up over and over again is how effective is PCI in securing the merchant environment.  And the answer is, no one really knows.  Breach disclosure laws prior to 2003 were non-existent, and even once California passed SB1386 and got the legal ball rolling, breach disclosures have been spotty at best.  Now that we’ve got some 40 states that have some form of breach disclosure law, the information we’re able to gather is much more consistent.  Unluckily, we still lost the ability to have any real baseline to measure the success of PCI against and anyone who says that PCI is or isn’t effective is mostly going on their own anecdotal evidence, not hard data.  Verizon’s Incident Metrics Framework may help in gathering statistics going forward, but we’ve already lost the data needed to measure the effectiveness of PCI.  (Disclaimer:  I work as a QSA for Verizon Business)

As tokenization and E2E2 take hold, we’re going to have another chance to see how effective PCI is in securing the merchant environment and whether or not merchants are really going to secure their environment without the threat of PCI hanging over their heads.  There’s almost nothing in PCI that a shop with a good security program shouldn’t be doing in the first place.  Firewall reviews, anti-virus, log monitoring, IDS, etc. are all safeguards that are mandated by PCI but are security measures that any good security shop should be putting in place for their organization by default.  The fact that many organizations couldn’t get the funding for some of these tools until PCI came along is a measure of how hard it is to get the budget for security.  And if organizations start losing the funding for these projects because tokenization and E2E2 have taken the majority of their systems out of the scope of PCI, we’ll know that PCI was the real driver for the safeguards, not any real concerns over security.

PCI is expensive.  Security is expensive.  Not necessarily because the tools are expensive, but because merchants ignored security for years and have had to spend a lot of money and time to implement the tools they should have been running in the first place.  If they can reduce the scope of the systems they have to protect through new technologies and no longer have to be assessed on an annual basis, do you think they’re going to keep paying for the tools that they implemented just for compliance or do you think they’re going to let their IDS and log management tools fall by the wayside?  I know that some of the shops I’ve seen will keep the tools and keep using them properly.  But I think the majority of merchants are going to go back to their old ways and do the bare minimum that their security group can fight to keep.  If your company’s marketing department depends on PCI to make sales, I’d be very afraid of tokenization and end-to-end encryption.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

5 responses so far

5 Responses to “Will merchants revert to their old ways?”

  1. Geoff Webbon 24 May 2010 at 9:47 am

    Hey Martin,

    I’m curious if you have a sense of the appetite of merchants to implement something like end-to-end encryption? I’ve certainly seen a desire to reduce scope around PCI compliance, but I wonder at the potential costs and how much that becomes a barrier to projects getting off the ground. Any ideas?

  2. Martinon 24 May 2010 at 10:24 am


    Reports differ, but the merchants I talk to tend to be very interested in both technologies. Anything that will take their systems out of scope is of great interest to the people I’m working with. And the recent Forrester report by Kindervag also backs this up. I’m not sure of the costs involved in either technology, since even the definitions both technologies are up in the air at this point.

    I know of several merchants who are pushing their vendors to get some sort of end-to-end encryption in place, even if the back end is at the merchant, which is not the preferred way. It’s going to be the relationship between the vendor and the acquiring banks that’s going to be one of the hardest parts to get in place, so we’ll see how tokenization and E2E2 are adopted going forward.


  3. alan shimelon 25 May 2010 at 4:25 am

    Martin, good article! I think until PCI makes these technologies mandatory, you won’t see merchants doing it on a wide scale. So the question in my mind is when will the PCI Council do that?

  4. Martinon 25 May 2010 at 5:31 am


    You’re missed one of the things I said in my earlier comment: It’s merchants who are pushing their vendors to include tokenization and E2E2 in their products, not vendors who are trying to get merchants to buy these solutions. This is something that’s moving too quickly for the PCI Council to make adjustments for. Besides, the PCI Council has made a habit of waiting until the technology groups have shaken out some and stabilized before they’ll make any changes to the DSS.


  5. […] friend Martin McKeay can be so idealistic sometimes. Martin is infatuated with tokenization and end-to-end encryption as the answer to making all things PCI good (or out of scope at least). ┬áNever mind for the moment […]

%d bloggers like this: