For the payment card industry (PCI), the current health crisis is looking like a Charles Dickens moment: Both the best and worst of times.
It is gaining millions of transactions, but it is also gaining risk — the more transactions, the bigger the “attack surface” for hackers.
The current pandemic has made cash a pariah, which is good for the PCI. You can’t really clean paper money between every transaction, and who has time to run coins through a wash? Not to mention you have no idea who touched it before it got to you.
So even some businesses that for decades took only cash — I know of two in my own little burg in northeastern Massachusetts — have suddenly upended their business models. They take only credit or debit cards now. Or even better, the contactless, near-field communication (NFC) kind — Apple Pay, Google Pay and others — that until last month had only gradually been gaining traction.
As Andrew Kilbourne, managing director at Synopsys, put it, “I love contactless payments because they’re exactly that — contactless. I don’t have to hand a sick person my credit card.”
And remote payment platforms like PayPal, Venmo and Zelle have been a thing for a while, but they are suddenly a much bigger thing, and are, of course, backed by a credit or debit card.
PYMNTS reported that transaction dollars in grocery stores are up 41.3% year over year.
This doesn’t mean an instant avalanche of profit for the PCI — there are calls in Congress for credit card fees to be suspended until four months after the pandemic is under control.
But it does mean expanded market share, which is likely to continue long-term. Consumers who may have favored cash will have figured out that they don’t really need it.
Cyber criminals follow the money
However, criminals notice these things as well, which is where “worst of times” comes in. Most, who are into cybercrime for financial gain, follow the money. They are also aware, like everybody in the industry, that when companies are forced to rush into making major changes, they tend to make mistakes, creating vulnerabilities to exploit.
Derek Brink, vice president and research fellow at Aberdeen, said his firm has tracked the transition to the “new normal.” Not surprisingly, the company has seen a spike in the use of business apps for collaboration and online meetings, along with the use of devices that “ensure the backup and rapid recovery of digital data needed need to keep the business moving.”
At the same time, Aberdeen found a decline in security measures for data and vendor risk.
“A time of crisis raises the priority of that which is most important,” he said. “First, get the users up, running, and productive in a WFH [work from home] environment. The empirical data show that security and compliance take a back seat, at least at first.”
Added to all that, well before the current crisis began, the trend for secure transactions looked ominous. Last fall, Verizon’s “2019 Payment Security Report,” found that the percentage of companies passing “interim security testing” under the Payment Card Industry’s Data Security Standard (PCI DSS) had dropped by nearly a third from 2016 to 2018 — from 55% to 37%.
There were factors, like a change in the data sample, that mitigated that drop somewhat. Still, the trend was in the wrong direction.
All of which puts pressure from two directions on the Payment Card Industry Security Standards Council (PCI SSC), which oversees compliance with the PCI DSS.
On one side is the obvious need to improve compliance with what is generally acknowledged as a minimum security standard. On the other side is pressure to relax regulatory standards at least somewhat until the pandemic subsides, along the lines of the federal Department of Health and Human Services’ (HHS)temporary relaxation of some compliance standards during the pandemic to allow for telehealth — remote health care.
The PCI SSC says it is allowing for more “flexibility.” Interim testing, done one or more times a year between the more formal annual testing for compliance with the PCI DSS, is meant to be done on-site by qualified security assessors (QSAs) or internal security assessors (ISAs).
But with most people working remotely from home, along with major travel restrictions, onsite testing is obviously more difficult, if not impossible.
Troy Leach, senior vice president of the PCI SSC, said the council is striving to give organizations flexibility while still maintaining the “efficacy” of compliance testing.
In a blog post published March 11, just before things were beginning to shut down on a massive scale, Leach said “There may be exceptional circumstances that temporarily prevent an assessor from being able to travel to an onsite location to conduct an assessment.”
He acknowledged this week that circumstances are now obviously “exceptional,” and that some elements of testing will likely have to be modified. Things like reviewing documentation and conducting interviews with staff should be relatively easy to do remotely. But, he said, “We recognize that not all controls are going to be possible,” adding that “whatever testing happens needs to have the same rigor as the normal process.”
Ultimately, he said, it will be between the organization being tested and the entity asking for the report, such as a card brand.
Better than nothing
Matthew Getzelman, managing principal at Synopsys, said the current reality means all the players, including the PCI SSC will have to adapt. “I expect they will work out a compromise for both service providers and merchants that run into QSA onsite validation issues,” he said, calling remote assessments “a practical approach.”
“They can pretend that they will take a hard line, but the bottom line is that remote assessments are better than nothing in these circumstances. Any standards body needs to take a reasonable, practical approach that meets the needs of security and the safety of employees,” he said.
Kilbourne argues that credible testing can indeed be done remotely, and said the PCI SSC should start now adapting their testing to that reality.
“The new normal will be to do things remotely,” he said. “We even interact with our families remotely now. Waiting until things get back to normal will be a very long time.”
He said web systems can be tested remotely through a VPN, which can be secured. “For hard devices like point-of-sale (POS) systems, they can be shipped to the vendor for testing. We’ve tested TVs for electronics manufacturers in the past, and they just shipped them directly to us.”
All parties agree that, as has become a cliché, compliance isn’t security. Leach has said many times that the PCI SSC believes the opposite is true — that good security yields compliance.
So, in an exhortation for better security, the council recently issued a list of “tips” for better security aimed at the current situation.
They include multiple standard “security hygiene” items, including:
- Use strong passwords and strong encryption
- Keep software patched and up to date
- Use secure remote access
- Configure firewalls properly
- Make sure employees are trained to “think before they click,” given that an enormous number of breaches begin with a phishing email or other social engineering.
It’s about the data too
But better security is also about handling, and storing, data. And the advisory said one of the best ways to do that is not to store it at all. For example, merchants taking orders over the phone should “avoid writing payment card details down and instead enter them directly into your secure terminal,” it said.
Brink said he is optimistic that security will improve as organizations adapt, so the window of enhanced opportunity for hackers will begin to close.
When things stabilize, “attention to security and compliance — in a safe and responsible way — will also come back,” he said. “My view is that it will come back with a vengeance, in response to opportunistic attackers who have pivoted to exploit vulnerabilities in this time of transition.”