Keeping last week’s losing lottery ticket in a safe
First, before all the security evangelicals take to their moral high grounds.
I think security is an important part of any payment system, but maybe we should be concentrating our efforts building payment systems that are secure rather than secure systems that do payments. Since the early part of the century, we have been forced to implement security standards across the length and breadth of the card payments landscape that need constant supervision and assessment, are expensive to audit for compliance, are to some degree subject to the whim of the auditors, and should a breach be identified, then by definition, that service wasn’t compliant.
Second, let’s look at how we got here.
Prior to the creation of the PCI-DSS framework, the card schemes were already supporting a series of security standards, which ultimately evolved into the 12 requirements of the PCI. Prior to the PCI-DSS, payment service security was already embodied in the payment services framework and identified by the card schemes but whilst it was recommended, it wasn’t compulsory. I would have thought that, because global card fraud was on the increase, the card schemes would have already been working towards pushing some sort of compliance requirement. I also think that they would have insisted on some level of compliance in the interests of the industry and in the interests of the consumers of the industry services, which if allowed to continue, would have set the course for the adoption of a more pragmatic approach.
The first PCI-DSS standard (Version 1) was released in December 2004, around the time the major UK banks were issuing their first chip and PIN cards (I was there, working with the Halifax) and around the time the US was collectively adamant that they were NOT going to replace the magstripe card! I had a lot of intellectual run-ins at the time with US card scheme employees, with all of them telling me that magstripe was secure, and all of them basing this on their belief that all US transactions were authorised online.
At the time, we, the rest of the world, could see that wherever chip cards were introduced, card fraud migrated to less secure regions, and this effect was even observed with UKIS cards. Even without fraud migration – around 2000 – the US was already seeing significant uplifts in levels of card fraud but remained in denial.
The story goes, and it’s not unreasonable, that US card fraud was being used to fund terrorism, even though US card transactions were undeniably secure because they were all authorised online! Then, the US Department of Homeland Security got involved, recognising that fraudulent card transactions were being used to fund terrorism, and looking for a resolution.
The following, you will have to take as hearsay, because the US Department of Homeland Security meeting minutes that document this have been removed, probably several years ago, so I can’t point you to them and I never took a copy. However, I was doing some research on PCI around 2010 and as I recall, there were two meetings (that I am aware of) where the issue of card fraud was raised and then resolved, and both recorded Bob Russo in attendance.
It would appear that rather than support a sensible and managed migration to EMV, the US Department of Homeland Security was convinced that the already high levels of security delivered by magstripe would be enhanced by the universal implementation of the proposed PCI-DSS.
The PCI-DSS was mandated (somehow) by the US Department of Homeland Security as a required standard to be applied across all card payment services in the US, and by corporate osmosis, across the world!
The Application of PCI-DSS
The PCI Data Security Standards are, unsurprisingly, all about protecting card data. The data needing to be protected is designated “Cardholder Data” and “Sensitive Authentication Data“, which by an unremarkable coincidence is ALL the data associated with a magstripe card.
It is possible, and it has always been possible, to clone magstripe cards, and for the clone to be undetectable via any transaction vector – read and memorise some card details and off you go. Today, magstripe card data is incredibly vulnerable (and easily readable) and the only way to protect it at rest or in flight is to lock down any databases that might be used to store it and to lock down any networks that might be used to transport it.
The information that we are going to try and protect, with the exception of the full track data and the PIN block, is the information that is printed on virtually EVERY card that has ever been issued and is there for anyone to read! This is the basis of our card security?
Now here’s the thing – if we accept that “Cardholder Data”, and the “CVV”, need to be protected, then because they are printed for all to see on the front and back of a payment card, it follows that the only option we have available to us is to lock down the GLOBAL card processing infrastructure, removing the ability to extract card data from any part of the system. A not unreasonable approach but the data is still printed on every payment card issued!
If we were to accept that we have no issue with the “Cardholder Data” and the “CVV” being released into the world without restriction (i.e. the data has no value), then the rationale for the WHOLE of PCI-DSS falls away. For context, let’s not forget that e-commerce wasn’t huge in the years around 2000, so the later e-commerce argument for PCI doesn’t stand up to contemporary scrutiny.
The alternative application of Chip
Chip card technology (EMV) is designed to allow the transfer of secure data over insecure networks. This doesn’t need to mean that the data is encrypted, only that it has no stand-alone value meaning that if it is extracted from source, it can’t be reused. Today, it makes sense to encrypt everything, because encryption processes are well understood and relatively inexpensive, but the fact remains that encrypting card data isn’t necessary for card payment security.
Cardholder Data is sensitive in a magstripe world because you don’t need much of it to create a workable transaction, and you can pick it up from the card or from a transaction in flight. In stark contrast, Cardholder Data as defined by PCI, has NO value in EMV land, and you cannot create or recreate an EMV transaction request with any, or all, of the card data you could extract from a card, or from a transaction in flight.
A chip authorisation request uses the PAN to identify the transaction endpoint, and it doesn’t need to be secret. Every EMV transaction includes a chunk of cryptographic data (ARQC) that has been generated by the chip and is valid only for the current transaction. This information can be passed in the clear without risk, because it cannot be used again!
This means that once a transaction is complete, the transaction data has no further value, and that includes the Cardholder Data. There is no point in protecting any of this data, and to advocate for this approach to security would be like keeping last week’s losing lottery ticket in a safe.
Significantly, this means that the PAN and the Expiry Date and the Cardholder Name and the Service Code and the rest of the data have NO intrinsic value. Cardholder Data is of absolutely no use in a transaction request without the cryptogram, and the cryptogram is generated by the chip at the time of the transaction.
There is no point in protecting Cardholder Data if it cannot be used to generate a valid transaction authorisation request without the cryptogram, and Cardholder Data cannot be used to generate a transaction authorisation request without a valid cryptogram.
The Choice of PCI or EMV
In the days leading up to the birth of PCI-DSS, card fraud across the globe was increasing dramatically. Many nations elected to migrate from magstripe to Chip and PIN, and the UK was one of the first to implement. The UK was an early adopter, and it wasn’t cheap! However, implementing chip strategies has become cheaper as the systems and services have been developed and commercialised. Also, fewer costly mistakes are likely now as most errors have already been made and addressed. In the light of the increasing magstripe cons, EMV, both initially and currently, was and is a cost-effective means of addressing exploding levels of card fraud.
The world (the rest of the world that is, which does not include the US) was addressing card fraud by sensible means that removed all risk associated with Cardholder Data. It was also clear that the introduction of chip technologies put the fraudsters on the backfoot as there was a strong correlation between the implementation of chip cards in a region and fraud migrating to one of the remaining non-chip regions.
The evidence for fraud migration caused by chip cards would have been available to the US Department of Homeland Security as it was available to everyone. It was big news because it worked. I am assuming here that the mandate for the PCI-DSS was made on recommendation, and that the recommendation must have been US-centric rather than global. The choice, if indeed the alternatives were made apparent, was between PCI and EMV.
The PCI-DSS approach was based on identifying security holes in data storage and data transfer processes and then applying security artifacts to fix the holes identified. However, this was not going to be a one-off exercise, it would require ongoing risk assessments, ongoing security audits and ongoing development to stay one step ahead of the crims. This was going to be expensive in the first instance, and it was never going to stop being expensive – and all the time, the data we are protecting is printed on every card issued, anywhere in the world!
The EMV approach was never going to be cheap as it would require some significant investment in infrastructure but in any region, that investment could have been offset against the savings made due to the inevitable migration of magstripe fraud to the US. The advantage of the EMV approach would have been that to all intents and purposes, it was a one-off cost, and with the exception of natural upgrades and service improvements, there would have been no requirement for continuous risk assessments and security audits.
Pragmatically, this was a no brainer, but the US Department of Homeland Security, looking to implement for expediency, mandated the implementation of the PCI-DSS across the US.
In hindsight, the costs associated with the introduction of chip technologies can be discounted as a reason for the decision as the US has since adopted chip technologies, and the clever thinking is that it was always going to. The argument for adopting the PCI-DSS, with the never-ending costs associated with protecting something that remains fundamentally weak over EMV, which after twenty-odd years is still fit for purpose, leaves me wondering.
The Global Impact of PCI
The PCI-DSS mandate issued by the US Department of Homeland Security was relevant only to magstripe cards, it considered ONLY magstripe card data and at the time was only relevant to the US. However, protecting the PAN became the mantra of US payment professionals, and inevitably began to bleed out as a meme around the world. People who should have known better enthusiastically jumped on for the ride, inevitably dragging the people who didn’t know better behind them.
I attended a PCI-DSS conference, a long time ago, and David Baker (UK Cards Security and Fraud) raised his hand and asked the question, “Why do we need to implement PCI-DSS in the UK if we have EMV?” The answer was essentially, “Because you do!”
Think about it, we have spent trillions of dollars, or pounds, or euros globally on implementing and maintaining the PCI-DSS, and the reason we do this is “because you do!” Organisations have made a huge amount of money selling this snake oil, because a significant number of payment professionals don’t appear to know any better, and the ones that do keep their mouths shut.
The sad fact is that the cash diverted to establishing and maintaining PCI-DSS compliance has been to the cost of innovations that would have otherwise benefited cardholders and merchants. Instead of spending trillions on securing data that is printed on cards and is plain for all to see, we could have been developing EMV over the Internet thereby locking down e-commerce transactions without needing to hide the data.
The global impact of the PCI-DSS has therefore been to squander the cash that would otherwise have been better served serving the cardholding consumer.
Praise be to the Spirits of Security
The world of the PCI-DSS is a lot like a religion, with disciples constantly emphasising and reemphasising the need to protect the PAN, and other Cardholder Data, without question. They tell us that if we don’t want to protect the PAN, then we must not want secure payment systems; they take the moral high ground, looking down on organisations that fail to meet the standards, and they sit in judgement without being judged themselves.
If you look at the principles and the structure of the PCI-DSS, they hang together and they make sense. I would not challenge them on their logical construction or on their delivery, or on the fact that they originate from a single point. The PCI-DSS is built from a single commandment, “protect the data”, and from this commandment, everything else flows down to the adoring masses, and as long as the premise remains intact, we have a compliant congregation.
But if we point out that the emperor is wearing no clothes, then the whole power structure evaporates. If Cardholder Data isn’t sensitive data, then the rationale for the PCI-DSS evaporates.
Those with a vested interest, either financially or intellectually, will support their deity to the ends of their wallet, and will ridicule and lampoon those who dare speak out against them. We used to burn heretics at the stake and figuratively, we still do, but burning the heretic doesn’t remove the reality.
Recap and Conclusions
I am not arguing, even for a moment, that we don’t need to operate secure systems across the payment infrastructure. I am arguing that we don’t need to operate that particular secure system.
If payment data has no value, then there is little point in protecting it. The fact is that EMV chip card data has no intrinsic value because it can’t be used without the cryptogram, and the cryptogram is unique to each transaction. EMV data has no intrinsic value.
Had we spent the money that we have spent on securing systems that didn’t need to be secured on developing EMV over the internet, which was always possible if maybe a little clunky in the early days, we would have implemented a global framework where all card payment transactions would have been Card Present! Just think about that. We would also have implemented a global payment infrastructure where all payment transactions were secure transactions.
The PCI-DSS was an inappropriate solution to the growing and well understood problem of increasing levels of magstripe card fraud. The rest of the world had recognised these problems, evaluated the solutions, and then opted for the global migration to EMV. In contrast, the US was aware of the global situation, was aware of EMV and was aware of all the facts, and yet the US went for the PCI-DSS.
The rest of the world was then forced to add the cost of PCI-DSS compliance to the cost of implementing EMV. The US didn’t avoid this double whammy either, as the US funded the PCI-DSS but didn’t escape the need to implement EMV.
We now have a global payment ecosystem that can deliver secure payment transaction information over insecure networks, coupled with a global payment system that secures the information anyway.
Ultimately, we are all led to believe that the PAN is sacred, and needs to be protected at all costs, but if it can be established that the PAN carries with it no risk, then the rationale for the PCI-DSS evaporates. There is no need to protect the PAN, or any other transaction data.
It’s like keeping last week’s losing lottery ticket in a safe.
