Many times, it seems, the best way for a company to learn whether it was compliant with the Payment Card Industry data security standard is to experience a data breach.
Companies that passed multiple PCI assessments but nevertheless have a security incident are later told that they were in some way out of compliance, leaving an opening for hackers to get in and steal credit and debit card account data.
This issue has been once again thrust into the spotlight by two banks suing the security vendor Trustwave for its alleged role in the massive data breach at Target's retail stores last year. Plaintiffs Trustmark National Bank and Green Bank N.A. say Target's security problems went "undetected or ignored by Trustwave" in its security assessments.
The PCI standard was established by the major card brands in 2004 as a set of rules that apply to any company that handles card data. The PCI Council, which maintains the PCI standard, defends the role of PCI compliance despite the apparent problems in the assessment process.
"It is important to note that in order to remain compliant with any security standard, whether it is HIPPA or PCI, merchants must treat compliance efforts as business as usual rather than as a once-per-year activity," says Bob Russo, general manager of the PCI Security Council.
Merchants who have been validated as compliant generally only "fall out of compliance" when choosing to implement changes after the auditor walks out the door, Russo says.
When the payment processor Heartland Payment Systems disclosed a massive data breach in 2009, the company said it relied too heavily on the PCI auditing process, which did not pick up the issues that led to its breach.
"The audits that are used to determine compliance are very much overvalued, and we overvalued our audits," Robert O. Carr, Heartland's chairman and chief executive, said at the time. As the company investigated its breach, it found even more violations, such as employees storing card data on their own computers to help them do their jobs.
If Target is found to have been out of PCI compliance and is forced to pay fines, the bill could total $3.6 billion, according to an estimate by SuperMoney.
Trustwave would not discuss the matters raised in the lawsuit. "Our corporate policy does not allow us to make any comments on pending litigation," says Trustwave spokesperson Abby Ross.
Trustwave may not have to worry, experts say. The banks' lawsuit "highlights a fundamental misunderstanding of what these assessments are supposed to be these are assessments, not a comprehensive audit," says Julie Conroy, senior analyst and fraud expert with Boston-based Aite Group.
"I don't think the lawsuit will go anywhere," especially if Trustwave's role was clearly spelled out in its contract, she says. "More often than not, contract law will prevail."
Generally, a qualified security assessor will be at a merchant site for two days, running through checklists and spot checks.
"That's about all you can do in an environment as complex as it is with Target," Conroy says. "To do a comprehensive audit, basically when you'd be finishing up, it would be time to start all over again. It would be like painting the Golden Gate Bridge."
Nevertheless, the assessment process "can create a false sense of security," she says.
Even the PCI Council agrees that the assessment process should not be given undue weight in determining whether an organization is fully protecting all card data.
"A compliance assessment is just a snapshot in time," Russo says. "Just like a lock is no good if you forget to lock it, these controls are only effective if they are implemented properly and as a part of an everyday, ongoing business process."
The PCI assessment process doesn't serve the payments industry well, says Avivah Litan, a vice president and distinguished analyst at Gartner Inc., a Stamford, Conn.-based market research company.
"Gartner wrote a research report back in 2008 that the PCI process was flawed, and it's become a giant money making machine, and meanwhile it hasn't stopped the breaches," Litan says.
In addition, it has long been a sore point for merchants that they must first pay for assessments and technology to meet PCI requirements, and must then pay fines if a breach happens anyway.
Indeed, in the wake of the Target breach, retailers sent letters to Congress stating, in part, that the industry needs a process or forum that goes beyond PCI to better thwart sophisticated cyber attacks.
The card networks have always been able to say that a company suffering a breach wasn't compliant at the time of the breach, Litan says, but in the Target case Trustwave was the service provider looking for vulnerabilities.
The outcome of the lawsuit will depend on how strong Trustwave's contract with Target is, Litan says. "It probably says they are not responsible, but they were the security service provider."
Even if Trustwave prevails, the prospect of getting sued "will make it difficult for the assessors," she says. "I don't know what will happen, but maybe it will prove to be the fatal flaw of the whole PCI process [if assessors are found liable]."
The banks' complaint against Target and Trustwave makes note of the company passing PCI assessments, yet its system was hacked through vulnerabilities in a portion of a network not directly related to payment card data.
Russo says it is common now for each breach to bring the PCI standards' effectiveness under scrutiny. The PCI council analyzes the industry's needs in three-year cycles.
Litigation against Target has also focused on whether the retailer was encrypting its card account data. Encryption renders the card data worthless to hackers.
The PCI data security standard requires encryption for cardholder data being stored or transmitted over public networks, but does not require it for transmissions over the merchant's internal network.
"Generally speaking, there are places where data encryption is required, but unless you are using some form of tokenization or something else, there are points where that data has to be in a readable format for the payment to process," Conroy says.