PCI Hypocrisy: Citi’s Data BreachWritten by Walter Conway
A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.
This past week, Citigroup announced its credit-card systems were hacked, compromising the card information on approximately 360,000 individuals. If this were a retailer, we would expect to see the card brands order a formal review by a PCI Forensic Investigator (PFI), a re-assessment of the retailer’s PCI compliance at the time of the breach and possibly significant fines and other penalties. Will Citi treat itself as harshly as it does its retailer customers that are breached? I wonder (and I imagine just about every merchant or processor that paid for PCI compliance or suffered a breach is wondering, too) if Citigroup will face similar consequences?
Just about a year ago, I raised the question of whether payment-card issuers should have an outside assessment of their PCI compliance. Everyone understands that issuers need to be PCI compliant. The PCI Council’s Frequently Asked Questions (FAQ) #5391 confirms this position with the statement: “PCI-DSS applies to any entity that stores, processes or transmits cardholder data and any such entity is expected to comply with PCI-DSS, including issuers.”
The big difference between merchants and issuers, however, is how they validate their compliance. Or I should say, whether they even need to validate their compliance. That same FAQ continues: “At their discretion, payment-card brands may require issuers [emphasis added] to validate PCI-DSS compliance.” In this case, the payment-card brands are American Express, Discover, JCB, MasterCard and Visa.
Let’s be clear on one thing: This data breach is a big deal. Based on public reports (I have no first-hand or inside information), hackers broke into Citi Account Online sometime in May and made off with the names, PANs, E-mail addresses and other personal information on roughly one percent of its 21 million North American customers. Maybe one percent doesn’t sound like a big number, but it translates into about 360,000 compromised accounts, which is a big number. Note, too, that the “other personal information” compromised could lead to identity theft and much more serious consequences for individuals than the inconvenience of having their credit or debit card replaced.
We should give Citigroup credit for going public to the extent it has fairly soon after the breach. But other than replacing the compromised cards, I have not read anything to indicate what Citi is doing internally to fix its system and network vulnerabilities. I would also be curious to know whether the card brands are involved.
If a retailer lost 200,000 PANs and cardholder names, the affected card brand(s) would want some answers. I know an organization that was ordered to investigate a breach, and it involved only 12 cards. A card brand could order Citigroup to go through a more formal forensic investigation (which Citi would get to pay for). Even if such an investigation isn’t ordered, it sounds like a good idea because Citi announced the breach was due to an external attack. (Full disclosure: I work for a QSA firm that is also a PFI.) Will Citigroup be ordered to conduct such an investigation?