Companies who get hung up on regulatory compliance are developing a false sense of security which leaves them just as open to malware attacks the chief exec of tools vendor Protegrity has warned. The Payment Card Industry Data Security Standard (PCI DSS) was developed by the major credit card companies as a means to bolster the …
No standard is ever 100% secure, but...
..PCI was never intended to make merchants invincible to attack. It does, however, go a lot further than the likes of ISO 27001 and SOX in prescribing some very effective ways in which a small organisation without the money to invest in a CSO can reduce exposure.
Being prescriptive is a drawback - one size certainly does not fit all and many organizations have fallen victim to interpretation issues around the standard and been led into expensive, vendor-laid traps, sponsored by the QSA whom has delivered the gap analysis, solid remediation solutions and completed the final audit. Does something sound fishy here?
If you take PCI at face value, which is a top 12 list of things you should do to improve security posture, at mostly a technical level, then I think it serves it's purpose very well. Try throwing ISO 27001 at the millions of merchants that present a security risk to the card schemes. It's not going to work - 99% of these companies are just too small and an ISMS cannot be scaled downward to fit.
Fully agreed there are some unscrupulous companies whom allegedly forcefeed their customers with over-the-top, expensive products or even managed services, but this isn't a problem with the standard, it's an problem with PCI SSC, an infant organization that is supposedly there to regulate the hundreds of firms and thousands of QSAs and make sure they all behave. Taking some firm steps such as separating companies that offer gap analyses and those that can audit and booting useless QSAs off the programme would go a long way.
It is far too easy for a merchant to gain certification - I'm sure there are many merchants whom just tick yes to each of the questions, submit their SAQ and get the certification without giving it a second thought. After all, what's really there to stop them? What are the consequences of lying on a SAQ? Will anyone ever find out, or is one merchant safe amongst millions of others...?
Last, but not least, it's far too easy to become a QSA, and even though the QSA programme says that QSAs should not show bias toward remediation solutions from which they benefit, this practise is VERY commonplace. For example, if you looked at a reputable QSA that rhymes with Dave, their salesmen are ONLY incentivised to sell their own remediation solutions and managed services (and heavily, at that). So which side of the fence do you think the apple will fall... ? Even Protegrity could become a QSA (or any other vendor, for that matter). I'm sure they'd make a very good one, too! :)
Come on PCI SSC - pull your finger/s out and start forcing some change before things get out of control.
No surprises then?
This reminds me a lot of the ISO9000 accreditation debate. It has nothing to do with quality (even though it's a "quality" standard).
As one leading business chappie said some years ago (I'm afraid I don't recall who it was) "ISO9000 has nothing to do with improving quality. It's just a way of ensuring the production the same crap consistently".
I'd say that was a pretty good analysis particularly of the value of the Standard itself.
PCI is pragmatic set of requirements that are designed to satisfy adequate protection of card data by the merchant. Its failing, or more accurately the failing of any organisation who believes that implementing PCI renders them secure, is that it does not really address the fundamental requirement of any system for managing information security which is the effective measurement, identification and management of risk other than by documenting a requirement for regular penetration tests.
Compliance today does not mean compliance tomorrow without robust processes for the management of risk.
Cant comment on QSAs other than the fact that nothing would surprise me. The degree to which Sarbanes Oxley rapidly became a cash cow for the 'Big 6' consultancies has left me rather cynical of 'independant' assessors....
I would disagree on the suitability of a formal ISMS for small organisations. I've always thought that this scales very well - you just need a simpler set of processes and controls. And demonstration of management committment is much easier in a small organisation where the execs are less remote from day to day activities. Assuming of course that there IS management committment. Which leads me to my last point.
One of the biggest issues with regulatory control structures whether they be based on PCI or ISO27001 doesnt actually lie with the standards. It lies with the attitudes of the organisation implementing them. As an independant consultant I've worked with organisations who were quite happy to demonstrate compliance by lying through their teeth. Zero committment to the security of customer data. One hundred percent committment to spending as little as humanly possible on information security and to the maximisation of profit.
Did he actually read the standard ....
Lots of vendors are using the PCI DSS as a standard or lightning rod for their own agenda.
Last week Fortify's Brian Chess opined that the breach at Hannaford was likely malware and not an inside job. Shortly afterward, news outlets are reporting this as fact. The jury's still out.
Compare what has come out in the news after the Hannaford breach compared to the TJX breach over the same period of time. After TJX it was fairly obvious looking at the available news that they likely had multiple areas where they were out of compliance with the PCI standard. With Hannaford, it is less clear. Now they may be better at controlling the release of information than TJX was. Or they may have been better controlled. The story will come out, but in the absence of real information speculation shouldn't be taken as news.
Now Rapkin is blaming a standard for the check box mentality held by many people. It is in the nature of people to do this. No standard will ever change this. Now Rapkin's position is less blatantl than Chess's, but I have to wonder if he's actually read the whole standard. Or has he just looked at the technically prescriptive parts and found them wanting from his perspective? (Or hast he interviewer left out those bits).
The standard as well as having lots of technically prescriptive parts has some governance parts that are important. Compliant organizations have to include specific due diligence in the management of their contracts. They also have to have ongoing risk assessment processes. That should address a lot of those security concerns.
Rapkin seems to make a common mistake. That is equating how an organization demonstrates compliance versus their being compliant.
Sure the standard has flaws. Nothing in the real world is perfect. And there are lots of ugly bits in it. Are there ways to make it better? Certainly there are. There are also lots of ways it could be made worse.
To some degree it is a case of locking the barn door after the horse has left. Except there are lots of barns and lots more horses. Some have said PCI is an expensive fix. But is the alternative really no more horses and barns? And the DSS isn’t the whole picture either. There are other PCI standards, there is chip and pin, and other practices are needed. None are perfect. They have flaws. Those flaws need to be worked through. Yes it would be nice to get better security out of the gate. There are lots of people working towards that goal. And they don’t always agree. The point is that it’s going to be an evolving processes.
By definition this area is a moving target, an arms race of sorts. It will also have to change as the criminals shift their attacks. And they will shift their attacks as the easy holes get closed off. A new version of this standard is due this fall. When it comes out, it should be better. But then the criminals certainly aren’t sitting still either.
So the answer is to give lots of money to Protegrity?
Really, doesnt cover ALL Compliance?!?!
Here in the US we have companies that really do believe that they are secure and that they will never have a breach, and PCI is their rule stick.
I deal with persons everyday that tell me that they are compliant, I know they have no clue, and as of Nov. 1 we will be separating the wheat from the chaff.
PCI does not protect you from having a CSO, matter of fact that is one of the new rules that are being implemented, there is no added cost since the CSO can be a person already in your company, they just need training on how to recognize potential threats, and to be listened to when they bring up critical areas for a potential breach.
The problems are not with FACTA, PCI or any other regulation, it is with implementation of the regulations, and this is NOT an IT problem it starts with the CEO's and the board rooms, and the new regulations put the responsibility right where it needs to be, if the business is not compliant and they haven’t trained their employees, then the board and CEO's are looking at civil and criminal liability.
The sooner businesses realize that this is not a joke, and that they need to be compliant the sooner that the consumers will be protected; I can’t wait to hear the explanations from them when they have a breach after Nov. 1, 2008.
That is called "willful non-compliance" they will be twisting in the wind, while the IT people will be saying "told you so", if the CEO doesn’t listen, document that you informed them, and wait, until they (CEO's) listen you are wasting your good breathe.
ISO 9001 is a Quality Management System not a Quality Standard (QMS). Just like ISO 27001 is a Information Security Management System (ISMS) not a Security Standard. The ISMS is part of an overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security. It has 133 controls defined by Annex A defined as the normative for control objectives and controls.
The 133 controls is the begin of your summary of controls. These 133 control are just a starting point you may need to add more controls to build your catalog of controls.
PCI DSS does make great strides at addressing the inherent risk of maintaining card holder data. I would like to hear an argument of organization that has implemented PCI DSS without reducing the residual risk. Residual risk should be used as a key performance indicator (KPI) for measure the relevance to security not the individual incidents.