PCI-DSS compliance becoming justifiable?

Since I have became involved with PCI-DSS several years ago I have always had a major complaint about PCI-DSS.

Merchants do not have protection from liabilities if they take the steps to become compliant!

Now before QSA’s light their torches, let me just say that I completely understand and agree that PCI Compliance ≠ Security. Nevertheless, from a business perspective it’s hard to take a program like this seriously when there is no real benefit from becoming compliant. One can always argue that security is a benefit, but in reality it’s not unless you actually prevent a data loss with it, and there’s no measurable monetary benefit of something that you don’t know was prevented.

I do have a strong belief, which I think is further illustrated by the slow adoption rates of level 3 and level 4 merchants, that most merchants don’t take PCI seriously. Losing customer data is nothing to be joking about, but they way PCI has been implemented with liability dumped on merchants and processors, and the fact that compliant businesses get no protection over non-compliant ones, is laughable. Independent of the PCI Council which they helped start, MasterCard now requires security scans for all merchants even if they don’t process on the Internet or over an IP connection. How can PCI possibly be taken seriously if the founding companies create independent standards after they start an organization specifically to make sure they all have the same standards?

So what’s the big news?

Washington state just passed a law (HB 1149 ^pdf) that effectively legitimizes PCI, or at least legitimizes much of the cost in becoming compliant. What this law will do is grant a merchant safe harbor from liabilities resulting from a data breach, provided that the merchant was PCI compliant when the breach occurred. It also states that the breached organization’s compliance cannot be revoked as a result of a breach. Basically, if you were compliant at the time of the breach, you are still compliant after the breach. This sort of retroactive revocation of PCI compliance has occurred in several major breaches. From my observation, this law is the first breath of reason that I have seen pushed towards PCI compliance.

Business owners (at least in Washington) can look at PCI and assume, if we become secure and become PCI compliant, we’re no longer as-liable if some extraordinary circumstance results in us losing data. The proactive response is: let’s get this taken care of, lets make sure that our data is secure, and let’s get compliant!

Currently that same business owner is checking [YES] to all the boxes and emailing in their questionnaire. They’re asking, so it doesn’t matter if I’m PCI compliant, I’m still fully liable for any costs and damages if someone steals my data? Hmm… [YES] to all… DONE!

The pitfalls

With legislation like this there are pitfalls, and probably some big ones.

First off, the law states that merchants must be validated compliant within 1 year of the breach occurring. 1 year is far too long for a business that was compliant to be assumed to be still compliant. Additionally, this doesn’t address the fact that the business could quite easily take steps to actually become secure, but intentionally remove them for operations sake once they pass a security scan or self assessment.

Second, the law is only for Washington which makes it worthless in all practicality. However, the fact that one state is passing it may push Visa/MC/AMex/Disc to look at adding real protection to PCI.

Third, the law doesn’t address actual costs to consumers such as fees from bounced checks or other bank and credit associated fees. Merchant’s would most likely still be liable for many of these fees (assuming that there are some) if they suffered a breach.

Lastly, the law would justify costs for becoming compliant, but could put huge costs on someone else (and it’s unclear who). If the merchant does suffer a sizable breach, it’s clear that there are real costs in re-issuing cards. What’s not clear is who would end up paying for them if this law is passed.

Meaningless?

Until this law is adopted by the issuers or put into effect on a national level, the benefits from it on a widespread scale, are going to be little to none. I’m openly against government regulation in any industry, yours or mine, so I do hope that card issuers and PCI security council take a serious look into adopting similar measures directly into PCI. I think that providing some sort of protection like this would greatly legitimize PCI especially in the minds of the business owners that are forced to become compliant and feel that PCI does not give them any benefit. It’s time for PCI to give small business owners a real reason to become secure and to become PCI compliant. A measure like this law is that reason!