Thanks to Andrew Hay for a retweet that I happened upon last night! Keli at Bluebox Security did a post entitled PCI DSS Ignoring Mobile Security is Irresponsible that discusses some of the implications of the Council’s lack of guidance and standards around this emerged (it was emerging five years ago) technology. While many security professionals agree that leaving mobile problems alone to fester is irresponsible and doesn’t do any service to the merchant implementing it, I wanted to take a slightly different take. To me, a better metaphor describing the situation is someone holding on to their VHS player because they might find that one tape of Dirty Dancing they bought twenty-five years ago. Everyone loves that scene where Jerry Orbach gets told “Nobody puts baby in a corner,” and if I find that tape I will get to watch it again it all its glory!
The Council has been on record saying that they don’t want to impose requirements onto emerging standards because they wouldn’t want to stifle innovation. While that is true in some respects, the voice of the payment brands comes through pretty loud and clear here. They want as many creative, innovative ways to charge a credit card because they make money every time someone does. I’m not blaming the model, it works quite well. But innovation can thrive even in a world of heavy regulation.
Take something like transportation. The innovations in cars and aircraft over the last twenty years has been pretty astounding. Cars that stop automatically to avoid collisions? Infrared HUD displays? Viable electric cars? Video-game like screens in aircraft cockpits? PLANES MADE OUT OF COMPOSITES!!! All tremendous, leap-frogging innovations that happened amongst heavy regulation. So even some basic minimum standards on top of PCI DSS would not impede innovation (and I challenge anyone in the industry to find data that says it does) in a meaningful way.
It’s like your team is in a hockey game sitting on the bench, waiting for the opponent to do something. The opposition takes the puck and skates it past the bench. The players watch it go from right to left, and promptly hop over the wall and skate to the RIGHT… in the opposite direction of where the puck is, but where the puck was BEFORE it came screaming by their bench.
I think this is a fitting explanation of what is happening here; or maybe the Council is just letting the game play and doesn’t care if goals are scored. PCI DSS, as it stands, is starting to lose relevance with respect to these new technologies. Sure, it can be applied to these technologies just like legacy ones, but in many cases the attack surface is different than traditional acceptance as we know it. What’s missing is linkage to actual requirements outside of the formal PCI DSS document that would cover some of these emerging technologies. Guidance documents are OK, but you can’t assess against them. Requirements documents would be helpful, with the standard referring to them like this: “Assess against any applicable supplementary technology standards and document the results.”
These technologies and the retailers that experiment and deploy them are moving forward with or without PCI DSS. The longer the Council waits to address them, the further removed any new requirements will appear when the brands want to address any issues in the technology. On the other hand, any breaches that happen as a result of deploying these technologies will probably violate some other PCI DSS requirement, and the fines will flow regardless.
Maybe that’s the answer. “Hey guys, PCI DSS is what it is. Figure out how to implement it in whatever technology you use, because we will always get you on Requirement 5.1.2 if you have a breach.”