Earlier this week, MasterCard officially (well, sort of officially) confirmed that retail chain TJX was not in compliance with PCI rules at the time of the $16 billion retailer's infamous January disclosure of a massive data breach.
The significance of this news is not the fact that TJX was not complying with the rules themselves. As former federal prosecutor Mark Rasch said: "It's hardly surprising that they weren't PCI-compliant. That's from the Department of Obviousness."
Nor is it newsworthy that MasterCard opted to confirm the chain's PCI-less state, although it is interesting. It might be a hint of the level of anger that many in the industry feel about the way TJX has been handling their crisis, coupled with a generous dose of CYA. In any other situation, it's truly hard to envision the normally media-shy MasterCard going out of its way to publicly confirm that a retailer was not compliant. Officially, it merely confirmed that TJX's U.S. credit card transaction processor (technically: acquirer)?Cincinnati, Ohio-based Fifth Third Processing Solutions?had reported to MasterCard was TJX wasn't PCI compliant.
No, the true newsworthy aspect of this news is how it illustrates the irrelevance of PCI today, when it comes to retail security. To say that PCI has achieved a toothless reputation today is being generous. It's akin to those homepage declarations that a site has been certified as safe. It only provides comfort to those who don't think about it very much. PCI has become a Santa Claus entity: it only works for those who really want to believe and who are willing to conveniently ignore any facts that disprove it.
PCI certainly doesn't have to be toothless. It has provisions for serious financial penalties and for even banning a merchant from accepting credit and/or debit cards. But for it to taken seriously, the credit card industry and retail industry must undergo a radical attitude conversion. Is MasterCard's comments the first indication of someone trying? A tentative, toe-in-the-water half-hearted try perhaps, but a try nonetheless.
The industry must not only use those fines and penalties but they must do so publicly. Very publicly. We're talking about a news conference every time a fine is issued and they need to be issued every week. Those announcements must be explicit and specific, detailing for the world what the retailer did?or failed to do?and why. For some retailers, the humiliation and embarrassment associated with such a disclosure might be worse than the penalties and that's a good thing.
Retailers need a cost-benefit analysis that makes it worthwhile to heavily invest in security. They must constantly see what happens to companies that fail to comply and it's critical that they must fear those consequences. Today, few retailers have that fear. Is the threat of rescinding a retailer's ability to accept credit/debit cards a true deterrent if no retailer believes it will ever happen?
The next step is taking a much more strict position with PCI-compliance audits. The fact that the auditors in questions are paid by?and are given instructions by?the retailers being audited is the most textbook conflict-of-interest I've seen in quite some time. Why not have the auditors working for the credit card companies or the banks? Why not give the auditors the ability to explore any and all systems, as opposed to just the ones the retailer wants examined? The rules were written assuming that retailers would want to know what was really going on. But what if some key managers with that retailer were deliberately retaining forbidden data, perhaps for a CRM project? Is that Auditor Fox guarding the Retail Chickens?
When the retail and banking industries want to take security seriously, they already have the tools to do so. Until then, please forgive us if we're yawning at a multi-year-in-the-making data breach (which wasn't discovered for years). It's hard to get worked up about a retailer not taking seriously something that the banking and credit firms don't care about, either.