Gartner misses the point of PCI
November 24th, 2008 by admin Posted in Chip PIN, PCI DSSThe goal of the PCI DSS is to prevent the electronic and paper theft of cardholder data. That said, the PCI DSS is not the only standard within the family of PCI family. The collection of PCI standards includes:
- PCI DSS :: Targets merchants and service providers who “store, process, or transmit” cardholder data
- PCI PED :: Targets the PIN Entry Device (PED) used in PIN-based debit and ATM transactions
- PCI PA-DSS :: Targets payment applications that are resold and involved in the authorization and settlement of cardholder data
Gartner makes a critique that the PCI DSS v1.2 update should have included reference to Chip and PIN technology.
Acknowledge the substantial investments in chip and personal identification number (PIN) card technology made in many parts of the world, including most European countries. These investments should limit the scope of compliance efforts, but the updated standard does not even acknowledge these compensating controls and implementations.
This is the wrong approach for several reasons, but requires a better understanding about the differences between Chip-PIN and PCI DSS. Chip and PIN has made a dent in payment card fraud, but does not limit the “scope” of compliance in any way. Dipping your chip card can leave ‘track equivalent’ data just as swiping a credit card can leave track or magnetic stripe data on the POS. The ‘track equivalent’ data cannot be used to recreate the chip but can be used to encode the track data on a magentic stripe.
I do agree with Gartner that the following areas are important, but not something that should be included in a standard document.
- “end-to-end encryption of card data”
- “inconsistency in the quality of assessments by qualified assessors”
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
4 Responses to “Gartner misses the point of PCI”
By Walt Conway on Nov 25, 2008
As far as card fraud is concerned, all chip cards do is divert card-present fraud to card-not-present (MOTO) and ATM fraud. For confirmation, look at the APACS statistics and consider the personal experience of a friend of mine in Paris whose debit chip card was compromised — they still have mag stripes! — and had his checking account drained.
Chip-and-PIN is a step forward, but it may not be the silver bullet for merchants.
By Michael Dahn on Nov 25, 2008
Agreed. I think APACS is doing a good job and helping reduce card-present fraud in-country. One of the attacks a carder can perform is using that ‘track equivalent data’ on the mag stripe of another country or for CNP fraud. Cross border fraud is high in AP while in-country fraud is low(er).
The question is does Chip and PIN reduce fraud overall or just spread it cross-border?
By Travis Smith on Nov 25, 2008
Inconsistency isn’t exactly the QSA’s fault, meaning that the standard set forth today can be very vague. What is good news, is that the PCI Council is going to start looking over the reports done by QSA’s and ASV’s to get the assessments more accurate. What I would like to see is the assessment reports compared to the company’s “Data Loss Prevention” plan how their network was compromised if they should leak data.
By Michael Dahn on Nov 25, 2008
Consistency is a growing issue and one that is not always (but sometimes is) the QSAs fault. Like any industry there is going to be variance but the goal of the Council should be to limit that as much as possible.
I think what we are seeing is a landscape similar to other industry standards where the industry pioneers the frontier and the standards body accepts the progress made by industry.
You can see this already is the Council’s reliance on Participating Organizations (PO) to provide input on how the standard impacts their line of business. We are going to see something the ANSI groups have seen for years, which is the standard following the industry pioneers that succeed. How will we measure this? The open market will measure it for us by showing what methods, technology, and advice survive the test of time.