PCI Compliance: Not a Priority in Australia?Some Companies Choose to Risk Fines Rather Than Comply
It's easy to buy stolen credit card numbers in underground forums. The market for stolen credit card data has thrived, fueled by cybercriminals who exploit security weaknesses in the ways merchants process payment card data.
Payment card security is a growing concern, and it's affecting companies throughout the world, not just in the U.S.
"A lot of organizations look at PCI-DSS and say, 'The benefits don't outweigh the risks.'"
We've all heard about the massive payments breaches that have adversely affected U.S. big box retailers, including Target and Home Depot. But how are companies outside the U.S., where EMV is more widely deployed and breaches aren't as widely publicized, addressing payment card risks?
As the PCI Security Standards Council celebrates its 10th anniversary this year, our editorial team throughout the world is taking a look at PCI compliance, addressing the question: How widely adopted and effective is the PCI Data Security Standard, and will it still be a viable standard 10 years from now? (See PCI Turns 10: Will It Last Another 10 Years?.)
My colleague Tracy Kitten, executive editor at BankInfoSecurity, recently interviewed Troy Leach, chief technology officer for the PCI Security Standards Council, about the PCI-DSS's efficacy in the U.S. Here, I offer some perspective from the other side of the world, focusing on PCI compliance in Australia.
Lack of Buy-In
Despite the card brands' 12-year efforts in Australia to push businesses to adopt and maintain compliance with PCI-DSS, some large Australian companies still aren't buying in.
In Australia, experts say PCI-DSS has been largely embraced merchants processing more than 1 million transactions a year. But some of those large merchants have opted not to go through what they perceive as the headache and high cost of PCI-DSS compliance, instead taking the risk of paying steep fines that could be imposed by card brands in the wake of a breach.
"A lot of organizations look at [PCI-DSS] and say, 'The benefits don't outweigh the risks,'" says Nick Morgan, managing director of Triskele Labs, a cybersecurity consultancy in Melbourne. "It's good in that it entices companies to implement information security and cybersecurity practices. But it's so prescript around what it says and what you need to do."
The PCI-DSS recommendations are a complicated regime. Version 3.2 of the standard, released in May, runs 139 pages.
PCI-DSS compliance isn't cheap, either. Ajay Unni, CEO of Stickman , a cybersecurity consultancy based in Sydney that assesses companies for PCI compliance worldwide, says his company has worked on compliance projects that range from AU $50,000 (U.S. $37,350) to AU$10 million (U.S. $7.4 million).
"There's a huge industry out there where clients don't want to spend the money and continue to carry the risk," he says. In some cases, the cost of becoming compliant is more expensive than paying a fine, he contends. Although PCI-DSS has raised awareness about the importance of cybersecurity, companies that have embraced it still have security problems, he adds.
Evolving Security Culture
The PCI Council recognizes the complexity of maintaining compliance, and, as a result, emphasizes that card processors and merchants must be vigilant in testing systems and databases after updates or changes.
"The day you get compliant could be the same day you could go out of compliance," Unni says. "We've seen both sides, where clients struggle to get compliant, or they get compliant and they struggle to maintain compliance."
Steve Wilson, a vice president and principal analyst with Constellation Research in Sydney, says the difficulty in maintaining compliance highlights how the card payment network is fundamentally insecure.
PCI-DSS is "a very elaborate and expensive audit regime built around the fact that payment card numbers are replayable by crooks," he says. A mom-and-pop business "would rightfully expect that passing an audit really does predict that the company would be reasonably secure in between audits."
One way to solve the problem of card details being stolen and used again would be to introduce digital signing. Wilson says online payments should require that cardholder data be signed by the microchip that's embedded in EMV cards. Doing so would get around the need for PCI compliance, he contends.
"We should be making systems more robust," Wilson says. "If security breaches are inevitable, as many advisers say, then let's do something to inoculate stolen data against abuse. ... We can never know if PCI-DSS has made merchants more secure. But I am sure if we had directed the effort and resources into making systems immune against stolen credit card data, we would be better off."