When the PCI council on Thursday (April 28) rolled out its new payment card security rules, it put additional emphasis on authentication and service providers, as expected. But it also took a key additional move by stressing the need for senior management — think CEOs, COOs, CFOs and potentially even board members — to get into the security details. Far too often, the levels above CIOs and CISOs don't understand PCI, they don't appreciate the details behind why security is needed, and they find the ever-increasing cost of security frustrating.
Troy Leach, the chief technology officer for the PCI Security Standards Council, said in an interview that he finds this lack of involvement problematic and that he fought for the new rule. The rule itself sounds innocuous and possibly even obvious, but there's a lot more to it. The rule, within Requirement 12, mandates that "executive management establish responsibilities for the protection of cardholder data and a PCI DSS compliance program." To Leach's mind, that means that they have to dig in and assume responsibilities for payments security and stopping the simple act of delegating it away.
"The intent is that we at least push the visibility to the executive level," Troy said, referring to the full text of the new guidelines. "We need for there to be different C-levels aware of compliance responsibilities." This change will demand "some type of accountability" with those non-tech executives, he said.
One criticism of payments security in general, and PCI rules in particular, is that they facilitate and enable checklist security. A common CEO security approach is to add more firewalls and other perimeter security to make it harder to break in, but the problem is that thieves simply up their attacks by the same amount. Troy cited another security cliché referencing these people, which is that when security builds a higher wall, cyberthieves simply bring a taller ladder.
Troy said this new rule was specifically targeting executives "who are in the ladder camp," adding that, in a perfect world, such a rule wouldn't be needed. "You'd like to not see this as a requirement," he said, but corporate reality is forcing the issue. In guidance that the council published with the new rules, he said the rule should also apply to board members.
Troy, who has held the PCI CTO role for more than eight years, speaks an uncomfortable truth. Ideally, PCI rules would govern and impact top-level technology security professionals (CIO, CISO) and retail payments leaders (typically in treasury and finance). But if they are getting pushback by bosses who haven't bothered to understand the rules, then something needs to change.
The council envisions this new rule forcing those non-tech C-levels to review where their efforts lie, where they are falling short and why. Security is all too often seen as nothing more than a mandated cost center, not unlike paying fire and errors-and-omissions insurance, assembling corporate tax returns or preparing SEC filings. That leads to a minimalistic approach, with questions such as, "What is the least we can do to comply?"
To go back to Leach's ladder comment, these execs don't merely want a taller wall. They want the cheapest construction effort possible to construct a wall just barely taller than the ladder most thieves already own. In the military, the counterpart cliché is assembling a fighting force equipped to win the last war, not the next one.
Another important reason for bringing senior brass into these rules is that the cybercrime battle is going to be getting much more complicated. Troy stresses that payments is going to be soon "getting to a place of dynamic data." Although this digital transformation will make security stronger, it's probably more accurate to say that it will make security challenges different.
And heading into a different IT place is a change. Change requires rapid adaptation and the flexibility to shift tactics. If there are two things that global cyberthieves are better at than those, I don't know what they are. Even worse, change and adaptation are the Achilles' heel of most multibillion-dollar companies. With committees and approval levels and the need to educate executives at each level — not to mention corporate politics at every stage — speed and agility are rare enterprise traits.
Put those together and it's easy to see why cybercrime payments wars could easily get a lot more frightening before they get better. To PCI's point, this is probably an essential time for CEOs to learn the ins and outs of payments security.