I guess when your logo is a bulls-eye, you can’t be too surprised when people take aim.

KJR has refrained from commenting on the Target situation on the grounds that (1) it’s received plenty of coverage elsewhere; (2) we don’t play dog pile on the rabbit around here (but we do occasionally refer to ourselves with the Royal We); and (3) when it comes to information security, what we know is that it takes people who know a lot more than we do.

But really, who could resist, especially when the single most notable and important aspect of this mess — the complete and utter failure of PCI-DSS certification (Payment Card Industry Data Security Standard) to prevent such a massive theft — has received little attention from the trade press and just about none at all from mainstream media accounts.

Keep in mind that PCI certification is 100% private-industry designed, funded, and practiced. It came from the payment processing industry, with no government intervention anywhere in sight, and few or no “perverse incentives” to maim the marketplace either.

It’s the industry’s attempt at self-regulation, and it’s failed dismally. How can that be, given how much money is at stake?

Answer #1: It doesn’t matter how much money is at stake. We’re talking about an industry standard, and all industry standards share the same fundamental challenge: The process of developing and ratifying them, is, at its core, legislative. There are lots of stakeholders, who eventually group into disagreeing (and often disagreeable) factions, resulting in a design that’s chock-full of political compromises.

Which isn’t a criticism of standards-creators. Creating even a mediocre standard is hard, painstaking, time-consuming work. As with any large-scale consensus the problems are intrinsic to the process, not the participants.

Answer #2: Standards-driven certifications are yet another example of Metrics Gone Bad, which is what happens whenever a metric becomes the point of the exercise, instead of actual success.

Certifications are metrics, which is to say they’re supposed to be a way of telling whether or not someone has achieved the results they’re supposed to achieve. What, you thought a metric had to be a number?

And every time the metric becomes the point, whether it’s a college student wanting a diploma instead of an education; a supplier wanting ISO-9000 certification instead of wanting top-notch internal processes; or a retailer seeking PCI compliance instead of well-protected customer data … every time the metric becomes the point it prevents something good from happening.

And once you have a metric, it’s rare that it doesn’t become the point.

Boiled down to basics, certification means passing a test. So far, so good — tests are designed to gauge knowledge and competence. But (and you knew “but” was hanging over that sentence like the Sword of Damocles) …

Those taking the test have a personal stake in passing that exceeds their personal stake in acquiring knowledge and becoming competent. If they’re job-seekers their careers depend on it; if they’re retailers, their ability to receive payments with something other than cash depends on it, if they’re cramming for the SAT their college entrance and future careers depend on it.

Those who seek certifications are incented to pass the test. Achieving actual competence becomes the byproduct, not the point.

Answer #3: What PCI provides is a manual for data thieves. By spelling out what is protected, and how, it spells out what isn’t protected and is vulnerable. Call me naïve; this doesn’t strike me as the best idea anyone ever had.

Which brings us to Target, which can certainly afford the best information-security money can buy (okay, the second-best after the NSA, but let’s not quibble) and is undoubtedly PCI certified. And yet …

Here’s what I don’t get. I’m imagining myself sitting inside Target’s firewall. Its head of information security isn’t even trying to keep me out. Quite the opposite, he’s giving me every credential I ask for. I’m trying to track down where the POS modules reside so I can attach malware to them … without showing up in any server logs … then to figure out the protocols for propagating POS software updates to the stores.

But a company the size of Target has thousands of servers and hundreds, maybe thousands of applications in its portfolio, none named POS_SourceCode_ComeAndGetMe.cxx.

Without documentation or colleagues to consult, I wouldn’t know where to start.

Would you?

* * *

Fifteen years ago in the IS Survival Guide, a simple formula for predicting which software products will succeed and which ones will fail. It works!