PCI Hypocrisy: Citi's Data Breach

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

This past week, Citigroup announced its credit-card systems were hacked, compromising the card information on approximately 360,000 individuals. If this were a retailer, we would expect to see the card brands order a formal review by a PCI Forensic Investigator (PFI), a re-assessment of the retailer's PCI compliance at the time of the breach and possibly significant fines and other penalties. Will Citi treat itself as harshly as it does its retailer customers that are breached? I wonder (and I imagine just about every merchant or processor that paid for PCI compliance or suffered a breach is wondering, too) if Citigroup will face similar consequences?

Just about a year ago, I raised the question of whether payment-card issuers should have an outside assessment of their PCI compliance. Everyone understands that issuers need to be PCI compliant. The PCI Council's Frequently Asked Questions (FAQ) #5391 confirms this position with the statement: "PCI-DSS applies to any entity that stores, processes or transmits cardholder data and any such entity is expected to comply with PCI-DSS, including issuers."

The big difference between merchants and issuers, however, is how they validate their compliance. Or I should say, whether they even need to validate their compliance. That same FAQ continues: "At their discretion, payment-card brands may require issuers [emphasis added] to validate PCI-DSS compliance." In this case, the payment-card brands are American Express, Discover, JCB, MasterCard and Visa.

Let's be clear on one thing: This data breach is a big deal. Based on public reports (I have no first-hand or inside information), hackers broke into Citi Account Online sometime in May and made off with the names, PANs, E-mail addresses and other personal information on roughly one percent of its 21 million North American customers. Maybe one percent doesn't sound like a big number, but it translates into about 360,000 compromised accounts, which is a big number. Note, too, that the "other personal information" compromised could lead to identity theft and much more serious consequences for individuals than the inconvenience of having their credit or debit card replaced.

We should give Citigroup credit for going public to the extent it has fairly soon after the breach. But other than replacing the compromised cards, I have not read anything to indicate what Citi is doing internally to fix its system and network vulnerabilities. I would also be curious to know whether the card brands are involved.

If a retailer lost 200,000 PANs and cardholder names, the affected card brand(s) would want some answers. I know an organization that was ordered to investigate a breach, and it involved only 12 cards. A card brand could order Citigroup to go through a more formal forensic investigation (which Citi would get to pay for). Even if such an investigation isn't ordered, it sounds like a good idea because Citi announced the breach was due to an external attack. (Full disclosure: I work for a QSA firm that is also a PFI.) Will Citigroup be ordered to conduct such an investigation?Will Citigroup be ordered to conduct such an investigation? A second consequence if a retailer were involved is fines. If fines were only about covering replacement costs, a fine wouldn't make much sense. The bank would, in effect, just be paying itself the card reissuing costs. If, however, the fines are designed to punish noncompliant behavior, it might be a different story.

Sadly, what I do see are newspaper articles advising consumers on what steps to take to protect themselves. Everyone is recommending consumers change (and strengthen) passwords, check their credit reports and watch out for phishing E-mails.

All these recommendations are good. But in light of this data breach, it looks too much like the old game of blame the victim. A merchant or a bank gets hacked, and the cardholders are told to check their credit scores (at all three agencies) and go buy a paper shredder. Granted, the cardholders' liability is virtually zero (at least for a credit card; it may not be so for a debit card). But with Citi's breach of additional personally identifiable information (PII), identity theft is a possibility.

I have a good friend who is a very successful attorney, and she once told me she has a simple rule: She will not take on a client who thinks the world either is or should be "fair." I sometimes have to explain that approach to merchants who are just learning about PCI. I don't expect the world, or even the PCI part of it, to be fair. I do, however, believe it is in issuers' own best interest to validate their PCI compliance. Citigroup's unfortunate experience makes that case better than I ever could.

When I wrote about issuers and PCI compliance validation last year, I took the position that card issuers should not be ordered to validate PCI compliance. Instead, I made the case that issuers should voluntarily validate their compliance for three reasons: It is smart; it probably won't be that difficult; and, most importantly, it is the right thing to do.

Today, I still believe all those things. But I find myself questioning my conclusion. I would love for Citigroup to announce publicly that it had conducted an outside PCI assessment and that at that time it was compliant. Such an announcement would reinforce to every merchant the importance of PCI compliance everyday, not just when the QSA is looking over your shoulder. Then, if Citi had been breached while compliant, we might learn more about potential new attack vectors.

It is probably too much to ask, but I would also like to know a few more details on the breach, so every issuer and merchant could learn from Citi's experience. For example, did it result from a phishing E-mail to a helpdesk staffer (think RSA), a cross-site scripting attack or even a malicious insider?

What do you think? As a retailer or payment processor or service provider, do you think it is appropriate that issuers do not report when they validate their own PCI compliance? I'd like to hear your thoughts. Either leave a comment or E-mail me at [email protected].