PCI Standards - what are they good for in the light of the PSN hack?Copyright (C) 28. April 2011 by Howard Fuhs
It was widely reported in the last days, that Sony's PlayStation Network (PSN) has been hacked and is being offline now for almost a week. Beside Sony's strange information policy, not to disclose anything for days and then just to disclose the necessary minimum it seems to be fair to tell, that up to 70 million individual datasets might have found the way to a new owner. Sony warns that the intruder(s) have been able to access user information like Name, Address, E-Mail, Password and Login Credentials. And, according to Sony, it cannot be ruled out that credit card information may also have been compromised.
So lets see what the last sentence means in a modern world of compliance madness.
One might know that there is a compliance program especially for all entities involved in credit card payments. Its the PCI DSS which stands for Payment Card Industry Data Security Standard. Theoretically every entity involved in credit card payment processes has to be compliant with PCI DSS which is enforced usually by contract. Not being compliant usually leads to financial retributions.
PCI DSS clearly states that the best form of data security is to not store credit card information at all and if storage is necessary for business purposes credit card information has to be tokenized and/or encrypted. Furthermore there is credit card information the user must pass to validate and authorize a payment transaction which is not allowed to store at all - under no circumstances. If Sony cared for data security in general and PCI DSS in specific the legitimate question arises how the f*** it could come to a data breach involving large amounts of credit card data?
What really worries me is the fact, that PCI DSS is applied and enforced to even the smalest shop and tiniest seller accepting credit cards, it is costing them money, time and nerves to become compliant, and a juggernaut like Sony is happily crashing the party, rendering the effort of many virtually worthless.
It would be interesting to see whether Sony was or is PCI DSS compliant and if so what is going to happen to Sony regarding the possible costs arising through automatically monitoring credit card accounts, issuing new credit cards, refunding money losses to victims and all the other costs to clear the whole mess. Every mid-sized seller would now happily be driven into bankruptcy by credit card organisations and banks as a public sacrifice to show everybody "Look here, this is going to happen to you, too, when you are not compliant".
Lets have a short look at a worst case scenario. If it comes out that 70 million credit card informations have been compromised. Even if you say the underground value of this huge data set is 10 cent instead of the usual 1-2 Euro per single credit card data, the heist is still worth 7 million Euros. Not bad. Even if you are generous and say that 10 million data sets are invalid for different reasons, there are still 60 millions left to exploit. That should keep the organized cybercrime busy for a while.
If it is true that through the PSN breach credit card information and credentials have also been compromised on a large scale, than it is really questionable why any company should care about PCI DSS compliance if Sony didn't care at all. It's not only a punch in the face of PCI DSS but to all the companies which invested time, money and all the other resources to make the payment process more secure and trustworthy for the customer. The future will show us now if the proverb is true that they hang the small and let the big get away.
The efforts to spread PCI DSS compliance in the world of credit card payment should also be scrutinized in the light of the PSN breach. It doesn't make much sense to me to help small and medium sized businesses on their stony way to compliance if large corporations don't seem to be able to get their ducks in a row. And as a consultant I am simply sick and tired of finding excuses for the failure of others.