"Compliance isn't security - even if you're compliant, you aren't necessarily secure".
I recently heard this quote at an event for the payments industry and asked myself, "is it really that simple? What should we do about it?"
This three-part series of blog posts will explore the history of cybercrime and propose answers to the questions above. In this post we will start with lessons from the past and look at the historical struggle between data security regulations and cybercrime. The second post will deal with the evolution of hacking and the final post will be about key takeaways and finding the right data-centric security strategy.
Let’s start by taking a look at the history of two major data security regulations: the Payment Card Industry Data Security Standard (PCI DSS) and the General Data Protection Regulation (GDPR).
The history of PCI DSS
Between the late 80s and late 90s Visa and MasterCard lost more than 750 million dollars due to credit card fraud, a significant amount of money for the time – but then the internet changed it all from bad to worse. More and more e-commerce websites were enabling online purchasing. For fraudsters it was easier than ever before to capitalize on these poorly protected systems.
To act on the problem, Visa became the first card brand to develop security standards for merchants in 1999. But there was a problem. Only a small amount of companies were able to meet the requirements and online credit card fraud was growing faster and faster. In the early 2000s, the revenue lost due to online fraud was reaching into the billions.
On December 15, 2004 PCI DSS 1.0 – the first unified security standard came to life. By June 2005, all merchants servicing more than 20,000 transactions per year needed to be compliant. But despite having a data security road map laid out in front of them, a lot of businesses underestimated the need for data security and believed PCI compliance wasn’t worth the investment in time and money.
Unfortunately, the bad guys didn’t sleep. Over time a number of hacks occurred – but in 2007 the TJX data breach was the first that generated a lot of public attention. After a months of research, the investigation team determined that 45 million TJX customers were affected.
Still, a lot of merchants were not able to comply with the high bar set by the PCI DSS. According to industry estimates from 2007, 60% of merchants were not able to meet the current standard. Somehow the PCI Security Standards Council needed to ease the standards – but by how much? Does a regulation even make sense when it’s too easy to comply with?
In 2007, compensating controls made it easier to be compliant. Companies were now able to avoid specific requirements and mandates if they were deemed too difficult or too costly to do correctly. But this was a double-edged sword. Now the QSAs were in charge of deciding whether a compensating control was acceptable or not, which made assessments highly ambiguous and stressful for companies.
In 2009, Heartland Payments Systems revealed a data breach from late 2008 that affected 130 million payment records – even though they were PCI DSS compliant. Once again the entire PCI specification would be called into question.
What happened to the PCI standards?
Over the years the PCI standard was enhanced with new specifications and technologies. In August 2012, Visa reported that 97% of level 1 merchants (those who process more that 6 million transactions annually) are PCI compliant. But despite the years the PCI DSS has existed, some merchants still don't comply with the mandates or they’re still using compensating controls – which leaves them open to harmful data breaches.
And even for those who are PCI compliant, simply being compliant hasn’t always been enough. A lot of breaches in the US – especially those targeting payment providers - affected organizations that were fully PCI compliant. PCI compliance may mean that a company is following industry best practices to prevent breaches, but that’s still not a guarantee that one will never occur.
The history of GDPR
Let’s look at another regulation, one driven by governmental ideas: GDPR.
In October 1995, the European Data Protection Directive (Directive 95/46/EC) came into effect. It was there to protect the data of individuals with regard to the processing of personal data. Even though basic rules of data privacy were defined here – the directive didn’t define any consequences for non-compliance – and in the following years data privacy was not taken seriously at all.
It wasn’t until 2012 – 17 years later and 5 years after the smartphone revolution – that the European Commission proposed a reform of the 1995 data protection rules. In 2014, the European Parliament demonstrated strong support for the GDPR by voting in plenum with 621 votes in favor, 10 against, and 22 abstentions.
Two years later, in May 2016, the GDPR entered into force. It reinforced well-known, existing rights but also added new ones for individuals, including the right to be forgotten – the ability to request that an organization delete your personal data.
GDPR also requests “data protection by design and by default” which means that all business processes that handle data have to be built with consideration for those principles and provide safeguards to protect data (for example, using pseudonymization or full anonymization where appropriate).
On May 25, 2018 the General Data Protection Regulation became directly applicable throughout the EU.
GDPR changed the world. But what’s different from PCI is that GDPR didn’t develop organically over time. There was a hard deadline. In the coming months we will see how companies react. As usual, the cost of compliance has been underestimated – and a lot of companies are still not compliant.
We started with a quote, so we'll finish with another one:
"Know your enemy and know yourself, then you will not once be defeated in a hundred battles". - Sun Tzu
Is this true for technology? What does cybercrime look like today? In the next part of this series we will look at the evolution of hacking to better understand our digital enemies.