PCI's Fatal Flaw: Protecting Only Payment-Related Systems

Security is nothing if not filled with seeming contradictions, and the latest version of PCI—slated to be officially unveiled next month (October)—is highlighting a beauty: To most effectively protect payment-card-related systems, protection must be focused on anything that is not related to payment card data.

How so? PCI's jurisdiction is limited to payment data and, therefore, it phrases most of its guidelines and requirements in those terms. So a retailer that uses appropriate encryption, firewall and intrusion detection systems only on systems that directly handle payments would be compliant and praiseworthy.

But with today's networked systems, cyberthieves seek out soft spots in the network just so they can somehow get inside. Once there, they'll deploy a wide range of tactics to let other network parts allow them to roam and, hopefully, get into a payment system through a backdoor, leveraging some variation of trustedhost (if they're in a secure network, something must have authenticated them and let them through).

That soft spot could be anything, ranging from a wireless handheld inventory scanner to a smart networked printer with IP access. Therein lies the conundrum: By solely protecting payment-involved network parts, an admin might inadvertently be making those payment processes much less secure.

Asa Holmstrom is the president of Columbitech, a wireless vendor that specializes in security, said that she routinely runs into retailers that are PCI compliant but very much at risk. "Professional (cyberthieves) out there go for the weakest link. They will go for the devices that are not protected, and that is the way they will get in," Holmstrom said.

Wireless security—which is one of those phrases guaranteed to get at least a few chuckles at any IT gathering—is a wonderful example of how far retail has to go to get secure today. And, Holmstrom argues, the expected changes in 1.2 are not likely to help.

PCI 1.2 "does not offer any improvements to help retailers get a more secure environment," she said. "PCI gives retailers a false sense of security."

The weakest link theory in security is hardly new, but as more retailers try and adhere to the letter of the law with PCI—and nothing more—they are going to run into problems, especially because PCI doesn't have the jurisdiction to issue rules for any equipment that is not somehow involved in payment card data. Retail CIOs, on the other hand, have much more extensive jurisdiction. The question is: When it comes to security, will they use it?

The jurisdiction issue itself gets hazy. If a wireless scanner or a smart networked printer can be the start of a chain reaction that creates a payment card security breach, couldn't that fall within PCI jurisdiction? Indeed, does it not have to?

That said, where is it reasonable to draw the line? PCI is a series of rules and guidelines to suggest some places the CIO, the IT director and various security executives must focus. Are retailers turning this help into a wall by morphing what should be a start point into an end point?