PCI DSS – Retrofitting Security to a bad design?

Any security professional will tell you that attempting to retrofit security to a system is invariably expensive and seldom works. Just as the cost of change in any project goes up exponentially with time, the cost of adding security to a system late in the piece, in an unplanned manner, is usually prohibitive.

I see PCI-DSS as an interesting case in point. At one level, it is an excellent standard – clear, well structured, well thought out and enforceable. At another level it can be viewed as a desperate attempt to retrofit security to a design unsuited to the on-line world. Trying to “slam the door after the horse had bolted”.

In 1950, when Diners Club first handed out credit cards to 200 people, few people would have predicted their use in “card not present” transactions. IBM envisaged a world market for five computers (1943), and few would have predicted the advent of large-scale computer systems in banks and retail organisations. I don’t know of anyone who predicted the advent of on-line commerce, but if they had, it would have been the stuff of science fiction.

In 1959 American Express issued the first plastic cards. They needed a number to identify them, as peoples’ names (especially in America where sons frequently inherit their father’s name) are seldom unique. So they printed it on the front of the card. Merchants used “kerklunkerklunker” machines to take carbon imprints of the cards, and sent the transactions dockets to the banks for processing.

Jump forward 50 years, and the world has changed – but not the underlying system. Merchants and banks record credit card numbers on their computer systems. Throughout the world, customers use their credit card numbers to order products, either over the phone or on-line. Fraudsters, with access to valid credit card numbers, can make big $$$ by putting fake transaction through.

The solution? Well, banning “card not present” transactions isn’t an option. ,And so we rely on PCI DSS to ensure that merchants keep clients’ credit card numbers safe. But if credit cards numbers are supposed to be treated as “confidential data” why are they printed on the front of every credit card?

There has to be a better way of solving this problem. Using a number that was never designed to be kept secret to identify people remotely is clearly not a good solution. PKI-enabled smart cards, OTP tokens, SMS, TAN sheets or even (heaven forbid) passwords would offer a better solution because they all rely on something being kept secret. But until the credit cards companies adopt something better, we’re stuck with credit card numbers.

And the cost of implementing PCI DSS to try and slam the door belatedly.