Thales Blog

PCI DSS: Does It Have To Be This Difficult?

October 16, 2009

At a recent meeting of the PCI DSS User Group, a common feeling united participants: confusion over the best way to tackle the implementation of these security standards.

Lack of a firm and consistent deadline for compliance, along with fluctuating levels of pressure being applied to different merchants was highlighted as an initial problem. Key management, and its compatibility in the various applications that may deal with sensitive data, availability of PCI compliant applications for POS and websites, and question marks over how to remove customer details from recorded telephone calls are further examples of issues standing in the way of speedy compliance. It is no wonder then, that in research published recently by the Ponemon Institute, 71% of companies are failing to treat PCI DSS as a strategic initiative even though 79% have already experienced a data breach.

As the conclusions drawn from the PCI DSS User Group meeting have shown however, tackling the issue of data security through PCI DSS compliance is proving to be a challenging task. While regulation is a necessary step and full compliance serves as a useful end-goal, if the obstacles standing in the way of implementation are so great that such compliance is not achievable in practice, the standard cannot be relied upon alone to solve the problem.

So, perhaps the answer is not how to protect card data so that it cannot be compromised, but making it "worthless" if you do not have a second factor to substantiate it. Using Chip and PIN EMV cards is one commonly used example since a PIN is needed for the transaction. However, even EMV cards are susceptible to Card Not Present (CNP) fraud unless for example MasterCard’s CAP or Visa’s DPA is used with them for CNP transactions. This highlights the fact that a solution must address all payment channels, including CNP, or the “weakest” channel will continue to be an outlet for fraud.

Maybe it’s time to change the game and focus on always requiring a second factor to authorize transactions. We already have an assortment of existing approaches to choose from – PIN, printed card security codes (CVV2, CVC2, etc.), 3D Secure, CAP/DPA in EMV environments, etc. Of course this approach is not without its own challenges. If only one transaction channel does not use a second factor, the cardholder data becomes “useful” to fraudsters again.

Contactless Cards also offer a unique solution as described in the media response from the Smart Card Alliance. These cards generate dynamic cryptograms with each transaction which renders copying the magnetic stripe data worthless without the cryptogram generation capability. The primary advantage of many of these alternatives is that they are based on technologies currently in place, thereby accelerating implementations, and are not dependent on new products, technologies, or processes.

This may sound like a radical approach, but in the early days of credit and debit cards a second factor was always used to verify transactions. Either a PIN to withdraw cash at an ATM, or a signature on the credit card slip checked against your card by the cashier for a purchase. So, perhaps it is not such a radical approach after all.