Does PCI DSS Expose Risk Or Create It?

June 8, 2009 by ADMIN
Share |

By Ed Rarick, PCI Evangelist at Tripwire

I have read many opinions on who is to blame for cardholder breaches, and many of those opinions are thoughtful and make a lot of sense.

But to throw the Card Brands under the bus for trying to get merchants and acquiring banks to pay attention to the security of cardholder data makes no sense to me.  And to have that opinion coming from a member of the U.S. House of Representatives takes the cake.

Learn More About Tripwire Here

Learn More About Tripwire Here

PCI security standard gets ripped at House hearing, April 1, 2009 (Computerworld) by Jaikumar Vijayan:

In one of the bluntest denouncements of PCI DSS to date, Rep. Yvette Clarke (D-N.Y.), chairwoman of the subcommittee that held the hearing, said the standard by itself is simply not enough to protect cardholder data. The PCI rules aren’t “worthless,” Clarke said. But, she added, “I do want to dispel the myth once and for all that PCI compliance is enough to keep a company secure. It is not, and the credit card companies acknowledge that.

The article goes on to reiterate the well known points that both Hannaford Bros. Co. and Heartland Payment Systems were certified as PCI compliant while breaches were occurring.

To make her point about why PCI DSS rules are not effective, Rep. Yvette Clarke, made these statements:

  • “…standard by itself is simply not enough to protect cardholder data”
  • “The PCI rules aren’t “worthless…”
  • “I do want to dispel the myth once and for all that PCI compliance is enough to keep a company secure.”

No kidding! The PCI Security Standards Council has been saying the same things all along.  In fact, they provide a Ten Common Myths of PCI DSS document that in summary says that PCI compliance is not a one-time event.

Myth 8 specifically says: “True security of cardholder data requires non-stop assessment and remediation to ensure that likelihood of a breach is kept as low as possible.”

That statement is clear as a bell to me – pay attention to security continuously.

Myth 10 says: “When people say PCI is too hard, many really mean to say compliance is not cheap. The business risks and ultimate costs of non-compliance, however, can vastly exceed implementing PCI DSS – such as fines, legal fees, decreases in stock equity, and especially lost business. Implementing PCI DSS should be part of a sound, basic enterprise security strategy, which requires making this activity part of your ongoing business plan and budget.”

That makes sense to me, too.

Keeping any data secure in today’s IT world is hard, extremely hard, but affected organizations can, I think, try harder.

In a sample of 112 assessments, VeriSign found the following failure rates for 10 of the 12 PCI DSS requirements:

  • 79% failed Requirement 3: Protect stored data.
  • 74% failed Requirement 11: Regularly test security systems and processes.
  • 71% failed Requirement 8: Assign a unique ID to each person with computer access.
  • 71% failed Requirement 10: Track and monitor all access to network resources and cardholder data.
  • 66% failed Requirement 1: Install and maintain a firewall configuration to protect data.
  • 62% failed Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
  • 60% failed Requirement 12: Maintain a policy that addresses information security.
  • 59% failed Requirement 9: Restrict physical access to cardholder data.
  • 56% failed Requirement 6: Develop and maintain secure systems and applications.
  • 45% failed Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks.

There is something wrong here and PCI DSS is exposing it, not causing it.

Too many merchants are going for the compliance certificate and not going for continuous security which would yield continuous compliance.

We should not give up on PCI DSS unless, or until, VeriSign does another sampling and finds the same percentages are passing the PCI requirements and breaches continue to happen at the same rate and level as they do now.

We are not there yet.

And until we are, I think the PCI SSC and the Card Brands need to keep pushing merchants and acquiring banks to go beyond seeing PCI DSS as just a checklist and see it for what it really is—basic security best practice that must be assessed, remediated and reported on continuously.

Ed Rarick is PCI Evangelist at Tripwire, Inc.  With decades of industry experience working hand in hand with retailers, payment card processors, hoteliers and restaurateurs, Ed has an enterprise-wide understanding of the issues facing businesses that must comply with the PCI standard.

Tripwire helps over 6,500 enterprises worldwide reduce security risk, attain compliance and increase operational efficiency across virtual and physical environments. With its industry leading configuration assessment and change auditing software solutions, IT organizations achieve and maintain configuration control. Tripwire is headquartered in Portland, Ore. with offices worldwide.

*   *   *

Stay Informed With ISR News Feeds and Email Alerts Here:

These icons link to social bookmarking sites where readers can share and discover new web pages.
  • TwitThis
  • LinkedIn
  • Google Bookmarks
  • Digg
  • StumbleUpon
  • YahooBuzz
  • del.icio.us
  • Wikio
  • Propeller
  • Facebook
  • MySpace
Share |


Filed under: Breach, Class Action Lawsuit, D&O Liability, FEATURE ARTICLE, Financial, Government, Insider Threat, PCI, PCI Security Standards Council, Sarbanes-Oxley, Tripwire, Uncategorized, hackers, identity-theft, malware, national security, privacy 

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Comments

4 Comments on Does PCI DSS Expose Risk Or Create It?

  1. Tim on Mon, 8th Jun 2009 7:40 am

    2. >The business risks and ultimate costs of non-compliance, however, can vastly exceed implementing PCI DSS – such as fines, legal fees, decreases in stock equity, and especially lost business.

    OK, makes sense. You get in trouble for not following a mandated standard, so follow the standard to not get in trouble.

    >Implementing PCI DSS should be part of a sound, basic enterprise security strategy

    Does not follow. This assumes that trying to follow DSS actually improves security and prevents breaches.

  2. Tom on Mon, 8th Jun 2009 10:12 am

    3. A good read. Also worthwhile reading http://www.infoseccynic.com/2009/06/07/is-pci-dss-useless/

    In my humble opinion, a PCIDSS certification is a bit like a cars MOT test (an annual UK car motor examination to determine if a car is roadworthy).

    At the time of the test, the checker may deem a car to be roadworthy… for that car, at that specific moment in time.

    Subsequently the car driver may have an accident, or blow a light blub… this would mean the car is no longer roadworthy, but it is the drivers responsibility to spot this and to rectify it. You can’t take the car back to the examiner and complain that they’re the one who passed the MOT.

  3. Dr. Privacy on Sat, 13th Jun 2009 9:52 am

    4. The Federal Government didn’t very well on the recent security assessments that revealed significant vulnerabilities related to national security. I abhor the double standand that exists with regard to privacy and security in business vs. government. Technical security is a fluid challenge.

    The issue is the lack of “good faith” compliance, as the results above indicate. Instead the focus has been on passing audits, not on protecting information. I have observed this in the banking industry. The responsible persons lose sight of the purpose of federal laws (e.g. Red Flags Rule) and industry regulations (PCI-DSS). The purpose is to protect consumers and protect the entity from liability — not to just pass a audit!

  4. Joe Corporate on Mon, 15th Jun 2009 4:59 am

    5. The fact that data breach, exposure, downtime and cleanup costs *can* exceed PCI compliance is largely immaterial, as the probabilities of them doing so are so small as to not serve as an effective deterrent to lax security. The fact that PCI compiance costs *will* be realized and will almost certainly greatly exceed several years’ worth of experienced breach costs for the vast majority of the businesses which must comply, is a much stronger motivator. That is the reason why businesses either choose not to strive for full compliance, or complain loudly about the costs. And it’s not like there isn’t some good merit to the criticisms of the card associations’ lack of leadership and failure to create a more secure architecture and process — for all the good points of PCI, there is some truth to the merchants’ arguments that the card associations are merely transferring risk to them. The attitude that is created - and evinced in the article above - is one of putting the card associations and the merchants at odds and finger-pointing over this topic. Both need to realize that neither can survive without the other and that the current approach is not working.

Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!