comforte Lounge Blog

comforte and NonStop News

  • Blog Article

    U.S. Retailers Declare War on PCI Council – comForte Perspective

    We have been working in the context of Payment Card Industry (PCI) for a rather long time — more than a decade, in fact. We have been active in computer security approximately five years longer; time certainly flies.

    Introduction – selling basic security software and being too early


    We have been working in the context of Payment Card Industry (PCI) for a rather long time — more than a decade, in fact. We have been active in computer security approximately five years longer; time certainly flies.


    Working for a software vendor that makes a significant part of its revenue by selling security software might make us biased; but we have always tried to only develop, market, and sell software that in fact makes customers more secure.

    We do remember that, for a long time, selling any software securing HPE NonStop systems was very much an uphill battle; and vividly recall giving presentations to technical folks who would pick up on the fact that they weren’t, in fact, very secure, but who you could tell weren’t particularly concerned.


    It took us awhile to figure out that we were ahead of the curve. Imagine being one of the first seatbelt salesmen, but you’re in the early 1930s and there is no mandate whatsoever for safety features, and folks are simply not concerned about getting hurt in accidents. After all, cars are new and exciting; so why worry about safety? In the car world, the attitude toward seatbelts has certainly changed in this day and age.


    Enter PCI — the rules change and so do we, in 2005. At the time, it was the first well-written security standard we’d ever come across — and there were numerous others. The first version of PCI-DSS was created by the PCI Security Standards Council, and it was reasonably short, concise — and, most importantly, it had “teeth.”

    Noncompliance was different than being audited internally and filing the results away. Noncompliance could have severe consequences, depending on many factors.


    We were thrilled at the time and attended several conferences wherein we met fellow security professionals who we felt were trying to make the computer world more secure. Eventually, intypo3/#_msocom_1 2011, comForte joined the PCI Council, giving us more “street cred” and also more insight into the organization, including the ability to participate actively.


    Over the next several years, we would read the PCI standards in their various incarnations. And then, do it again. . .and again. We would reflect on how to apply it to the somewhat secret platform of HPE NonStop servers. We did plenty of presentations over the years and wrote plenty of white papers on the topic.



    The seventh-year itch?


    Eventually, participating in the conferences got a bit same-ol’, same-ol’. And, there were a few somewhat alarming things we noticed:


    • We were simply shocked to learn how the council was funded — you’d think that the world’s largest credit card organizations (i.e., Visa, MasterCard, Amex, etc. — all “founding members”) would have enough money to fund such an organization. Not so! The Council was created by seed money by the large credit card organizations before becoming its own entity. Sounds reasonable as you don’t want such an organization to be run or controlled by the card brands only, right?

    • Over time, we felt like the council became more concerned with its own financial stability than about serving its participating organizations. (comForte is a rather small organization with less than 100 employees currently, and the yearly membership fee is not trivial). Also, the conferences are not exactly cheap, nor is being a sponsor. What really drove us over the edge is how they sell their training — to become top-level certified — you have to take one of their classes. With all due respect to the Council, that is all but unheard of in computer training. We have passed many certifications; often gaining the knowledge in practice rather than through any class. The standard method is “if you feel confident you know the content, take an exam and you’ll find out.” (As an aside, we did complain about this, to no avail.).

    • We have worked with numerous organizations that fall under PCI rules and we have been taking part in a working group within the PCI council. While the code of ethics of our CISSP certification (and normal business ethics) do not allow us to go into detail, we made the following three observations:

      1. Some decisions made within the PCI council are not transparent. There is a lot of talk of transparency, but our gut feeling tells us some decisions are made in the back room.

      2. Some auditing results are mind-blowingly wrong. Imagine bringing your car for checkup without seatbelts and brakes, and the garage says, “You can drive like that securely for 100,000 miles.” We have seen this exact thing happen on many occasions.

      3. Imagine KPMG doing: 1) consulting for a large company on how to file its taxes; and then 2) doing the tax audit for that company. Surprise: This is forbidden, and for good reason. Here’s another surprise: This happens all the time in the PCI audit space. Why is this allowed? No idea.


    So  our initial love of the council has somewhat faded and comForte actually decided to leave the PCI Council this year, so 2016 will be the last year of our being a full-paying member. Having said all this, we do believe that the PCI Council has played a very important role in improving payment security since its inception – and we do remain convinced that only standards and regulations drive computer security forward.



    U.S. retailers declare war on PCI council


    We admit being completely surprised when we saw the following press release just days ago: Retailers Ask FTC to Investigate Credit Card Industry's PCI Security Group for Antitrust Concerns. Let us quote the key pieces:


    “We urge the FTC not to rely on PCI DSS for any purpose, particularly not as an example of industry best practices nor as a benchmark in determining what may constitute responsible data security standards in the payment system or any other sector,” NRF Senior Vice President and General Counsel Mallory Duncan said in a letter to FTC Chairwoman Edith Ramirez and other commission members.


    The Payment Card Industry Security Standards Council is “a proprietary organization formed and controlled by a single industry sector — the major credit card networks” and “fails to meet any of the principles adopted by the federal government for voluntary standard-setting organizations,” Duncan said. “We believe you will conclude PCI itself is an inappropriate exercise of market power by the dominant U.S. payment card networks and PCI should not continue setting data security standards through its current processes.”



    So, there is war now? Will there be a winner?


    We are somewhat drawn between different thoughts here: If you are with us so far, you know that we are both friendly and critical toward the PCI Council. Other than being avid shoppers, we have no professional or personal attachment to the U.S. retailers and their National Retail Federal (NRF) association.


    So, what gives? At the moment, we doubt this statement will make the world of shopping more secure. Does the PCI Council have some issue? In our humble opinion, yes. Are security standards important?  YES, YES. YES! Is the PCI Standard well-written? YES. Are there (minor) omissions/issues in it? Yes. Is the process perfect? No. Has security increased because if it? Yes.

    It remains open whether this particular war will end up with only losers, only winners or with a mixed result. We plan to discuss this with some colleagues within comForte, and one of them will write a follow-up blog. For now, we’d be very interested in YOUR view. Please comment or email us at t.burgcomfortecom.