PCI Compliance Does Not Equal Security
By Danny Lieberman, Security Expert and Founder of Software Associates
I recently saw a post from a blog on a corporate web site from a company called Cloud compliance, entitled Is Compliance is the New Security Standard.
Cloud Compliance provides a SaaS-based identity and Access Assessment (IdAA) solution that helps identify and remediate access control and entitlement policy violations. We combine the economies of cloud computing with fundamental performance management principles to provide easy, low cost analysis of access rights to prevent audit findings (sic) and ensure compliance with regulations such as SOX, GLBA, PCI DSS, HIPAA and NERC.
The basic thesis of the blog post was that since companies have to spend money on compliance anyhow, they might as well spend the money once and rename the effort “security”.
This is an interesting notion – although perhaps “placebo security” might be a cheaper approach.
Compliance is not equivalent to security for several fundamental reasons.
Let’s examine this curious notion, using PCI DSS 1.2 as a generic example of a regulatory compliance standard that is used to protect payment card numbers:
- Filling out a form or having an auditor check off a list is not logically equivalent to installing and validating security countermeasures. A threat modeling exercise is stronger than filling out a form or auditing controls – it’s significant that threat modeling is not even mentioned by PCI DSS, despite the ROI in think time.
- Although PCI DSS 1.2 is better than previous versions – it still lags the curve of typical data security threats – which means that even if a business implements all the controls – they are probably still vulnerable.
- PCI DSS was designed by the card associations – there is no way that any blanket standard will fit the needs of a particular business – anymore than a size 38 regular suit will fit a 5′ 7″ man who weighs 120 kg and wrestles professionally.
- PCI DSS talks about controls with absolutely no context of value at risk. A retailer selling diamond rings on-line, may self-comply as a Level 4 merchant but in fact have more value at risk than then the payment processor service provider he uses. (See my previous post on Small merchants at risk from fraudulent transactions )
- PCI DSS strives to ensure continued compliance to their (albeit flawed) standard with quarterly (for Level 1) and yearly (for everyone else) audits. The only problem with this is that a lot of things can happen in 3 months (and certainly in a year). The automated scanning that many Level 2-4 merchants do is essentially worthless but more importantly – the threat scenarios shift quickly these days – especially when you take into account employees and contractors who as people are by definition, unpredictable.
- PCI DSS 1.2 mandates security controls for untrusted networks and external attacks. The phrases “trusted insider” or “business partner” are not mentioned once in the standard. This is absurd, since a significant percentage of the customer data breaches in the past few years involved trusted insiders and business partners. A card processor can be 100 percent compliant but because they have a Mafia sleeper working in IT – they could be regularly leaking credit card numbers. This is not a theoretical threat.
- Finally – PCI DSS is a standard for whom? It’s a standard to help the card associations protect their supply chain. It is not a policy used by the management of a company in order to improve customer service and grow sales volume.
To summarize:
- PCI DSS is a standard for the card associations not for your business, nor for your customers.
- As a security standard it is better than none at all, but leaves much to be desired because it is not oriented towards the business and consumer protection
* * *
Stay Informed With ISR News Alerts:
* * *
Danny Lieberman is a serial technology innovator and leader – implementing ideas from brain to business. Danny has a graduate degree in solid state physics and has spent most of his adult life developing software. Since 2003 – Danny has been doing data security consulting and data protection/information assurance projects using data loss prevention /extrusion prevention technology.
Software Associates provides enterprise information protection to clients in Europe and the Middle East. His latest venture is MedRep, a professional network for medical representatives and doctors. Feel free to text Danny at any time of day at: +972 54 447 1114 - he is always looking for interesting projects and ideas.
The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com
October 29th, 2009 at 9:21 am
You’re preaching to the choir here!
The main problem that I see when it comes to security vs. PCI/DSS compliance is that management is confused; If I’m compliant with what I have to do, why do I care about anything else? It doesn’t appear that it will improve the bottom line. What many miss is that if you aren’t secure, you really aren’t compliant regardless of what the IT Audit shows.
I wrote a piece on this a while back: http://blogs.sans.org/it-audit/2009/01/20/you-might-be-compliant-but-are-you-secure/
October 29th, 2009 at 10:35 am
It’s always gratifying when a blog post gets noticed, and I should be flattered since Danny Lieberman has commented on my blog post at different sites at least five times! Each time, however, he’s misrepresented the content of the blog post. Normally I don’t respond to comments to my blog, but in this case I need to set the record straight.
First, he gets the title wrong. The blog article is entitled “Is Compliance the New Security Standard?” (a question), not “Compliance is the New Security Standard” (an assertion). If someone can’t cut and paste a title correctly, what are we to think about the integrity of their content?
As the opening paragraph of my article makes clear the blog article is a continuation of a discussion from the “Cornerstones of Trust 2009″ conference which I had attended a day earlier. Here’s the summary (taken from the content of the article):
“Given the compelling case for securing the enterprise, why do CEOs fail to invest more in security solutions? Does this simply represent a failure of IT and security staff to make a compelling business case? Or are the CEOs in fact being short-sighted?”
Nowhere in my article do I imply, as stated above, that since companies have to spend money on compliance, they might as well spend the money once and rename the effort “security” — as stated above. You be the judge: read the blog post yourself at http://www.cloud-compliance.com/blog/bid/27935/Is-Compliance-the-New-Security-Standard.
Lieberman says in another comment that I’m “selling snake oil”. Of course bloggers like to be controversial to get read, but I would suggest that getting ones facts right is far more important.
In fact I agree with most of Lieberman’s thoughts on security and its importance in contrast to compliance.
If we want to have an honest discussion of an critical topic, let’s make it fact-based. You may disagree with my hypothetical CEO perspective; you may disagree that compliance provides a liability shield; you may disagree with the Ponemon study regarding the cost of a data breach; and you may disagree that compliance spending is a factor in making security spending decisions. But please don’t intentionally misrepresent the points made and smear the author with “snake oil” insults. That doesn’t get us any closer to understanding issues around an important topic — a topic with no easy answers as evidenced by the thoughtful discussion among security professionals at the “Cornerstones of Trust 2009″ conference.
- Robbie Forkish
October 29th, 2009 at 10:58 am
I agree for the most part of what you’re saying, though the PCI Council has always:
1. Aimed to strike a balance to make their requirements feasible for the majority of businesses.
2. Gradually increase the requirements as they get merchants and processors compliant.
Many of us in the business believe it is just a matter of time before they begin adding the more stringent internal requirements.
Also there are no quarterly audits, everyone is audited annually, with the difference being that some Level 1s and some Level 2s require an independent audit (they cannot self-assess).
October 29th, 2009 at 11:16 am
Adrian -
I agree with your complimentary assessment of the principles of PCI DSS, but in practice it seems as though it is ultimately nothing more than an attempt by the card issuers (who make up the PCI Security Standards Council) to provide legal cover from liability when breaches occur.
See: http://information-security-resources.com/2009/04/01/payment-card-industry-swallows-its-own-tail/
If the card issuers where truly concerned about security, why do they push the less secure “signature debit” on merchants over the vastly more secure “swipe and pin” method?
Because they can charge merchants a higher percentage fee for the increased risk, and reap higher profits. Consumers pay in the end.
That’s why the card issuers have such great “fraud protection” and will pay for all kinds of unauthorized purchases instead of securing against those fraudulent transactions.
Case in point - a suit between Visa and Walmart. Visa succeeded in compelling Walmart to accept “signature debit” in exchange for a payment somewhere in the billions of dollars (look it up).
The settlement is being challenged, because Walmart has figured out that Visa has charges them in fees several fold what they paid to secure the settlement.
Card issuers make money off of risk, not security. but they did set up a nice GSA cottage industry based on “security” that costs consumers even more in the end, and really does little to improve security.
Notice how all the processors like Heartland seem to be compliant unless they are breached? Do you ever hear of a processor being removed from the PCI compliant list based on a QSA evaluation?
The money is in the risk, and the ability to stay out of the fray if something goes wrong - that is PCI DSS.
October 29th, 2009 at 2:36 pm
It is no secret that PCI DSS is for the credit card company’s security and loss protection rather than for the Retailer’s Fraud and LossPrevention.
It is to be implemented in order to put the liability of potential customer damage by lost credit card data towards the Retailer, and away from the cc companies.
My biggest issue with implementation of the PCI standard as a retailer is the fact, that having certified vendors is not sufficient in order to cover the outsourced areas of my operations, but that i have to verify the proper implementation and accuracy of those certificates as well. That increases the scope of a certification severely.
IF someone would be able to follow all 212 recommendations and requirements laid out in the PCI Standard, i would still say, as a company you then are pretty secure and safe if it comes to data security. I am saying this in regards to the overall data security measurements PCI requires, like password strength and rules for non-shared generic accounts, network security like Firewalls, virus / malware protection etc., which have to be implemented disregarding the fact if or if not credit card information is stored within the company data network at all.
October 29th, 2009 at 2:47 pm
Carsten -
True, it is a great set of guidelines. But I would argue that there is more incentive for good security in the desire to protect your customer base and brand identity against damage from sloppy administration.
QSA is basically just a system where the merchants and processors are paying for the card issuers liability insurance, while the card issuers push convenience over security.
Nothing convenient about identity theft or mass data loss.
November 1st, 2009 at 8:47 am
Robbie has taken umbrage to my incendiary use of the term “Snake oil”
See http://www.software.co.il/wordpress/2009/10/compliance-is-the-new-security-standard/
See also http://en.wikipedia.org/wiki/Snake_oil for a discussion of Snake oil (originally a Chinese remedy for rheumatoid arthritis).
“The snake oil peddler became a stock character in Western movies… selling some medicine (such as snake oil) with boisterous marketing hype, often supported by pseudo-scientific evidence, typically bogus”
American security vendors routinely use boisterous compliance-based marketing hype supported by pseudo-scientific evidence of cost per record. This would appear to fit the above definition quite well.
I refer to a general malaise that appears to have attacked US security vendors with the vengeance of H1N1 Swine flu.
Now back to Robbie’s original post:
“Security spending for compliance, then, is a given. And while compliance spending may not comprehensively protect the enterprise against a breach, it does provide one important bit of protection: liability. From the CEO’s perspective, while the cost per record of responding to a breach may be high, it’s nowhere near the potential cost of lawsuits resulting from said breach. And achieving compliance appears to provide a liability shield.”
“Therefore, the CEO thought process might go something like this: Security spending for compliance is mandatory. And while additional security-related spending might make us more secure, it doesn’t add anything in terms of liability protection.”
There are several things going on here that are worthy of discussion:
1. The essence of compliance
2. Ethics
3. Cost
4. Liability
1. The essence of compliance
Security product vendors are fond of waving sheaves of compliance TLAs, but different regulations have incompatible meaning and intent.
PCI DSS is a security countermeasure for the card associations, not for the merchant, though in practice it is common for the card associations to raise interchange rates and file lawsuits on PCI-compliant merchants who had security breaches, employing an additional security countermeasure of “risk transfer”. It is the case of the Golden Rule - “He who has the gold rules”.
HIPAA is a security countermeasure for the consumer - intended to help people keep their information private, though in practice it is normal for providers and health insurance plans to require the waiver of HIPAA rights as a condition of service.
Can we use HIPAA and PCI in the same context of security product and services when they refer to different asset owners?
2. Ethics
From an ethical perspective - the essence of security is end-customer protection. Using automobiles as a prime example, DOT regulation
focusses on customer safety. See http://www.nhtsa.dot.gov/cars/rules/import/fmvss/index.html
Unfortunately, in the American corporate world, a “Get out of jail free” card is more important than ethics. Sarbanes-Oxley 404 basically says “thou shalt not cook the books”, i.e. financial reporting should be conducted in an ethical way.
While ethics is free - the corporate governance franchise costs the US economy 1-2% of the GDP. Money, apparently not well spent, as SOX-compliant institutions dragged the world into a great financial crisis in mid 2008.
Do you agree that “liability protection” is more important than ethics and customer safety?
3. Cost
“While the cost per record of responding to a breach may be high, it’s nowhere near the potential cost of lawsuits resulting from said breach”.
Interesting statement. How do we compare the “potential” cost of a lawsuit with a “cost per record”?
A more objective measure is stock performance (since Robbie calls on me to stick to facts).
Taking TJX and CVS Caremark as factual examples - both stocks track the S&P500 nicely over a 5 year average - reaching a low in Feb 2009 (when everyone took a beating) and reaching a year-high in mid October 2009 (when everyone did well).
See http://www.software.co.il/wordpress/2009/10/the-cost-of-hippa-privacy-violations/
The TJX data breach and CVS HIPAA fines have not impacted the stock performance and profitability.
In both cases, consumers have not punished the retailers for their data security events.
Do you agree that what counts is long term performance of the company?
4. Liability
US companies view litigation as the cost of doing business; with good lawyers who serve on the same boards as the opposition,
amicable settlements can be always worked out.
TJ Maxx won a victory when a Federal judge in Boston ruled that banks must individually seek to recover costs from reissuing customers’ credit cards as a precaution against fraud. Visa subsequently lowered the interchange to previous levels.
Would you agree that a good lawyer is a better security countermeasure than compliance?
November 3rd, 2009 at 9:12 pm
As an Information Security professional, I agree with topic of post that” PCI Compliance Does Not Equal Security”, but I do not agree with arguments given with author. Any standard or best practice does not come into picture in a single day. PCI DSS is comparatively new standard in industry and have multiple loop holes but it does not mean that it is totally use less standard. It is the beauty of PCI DSS that it has integrated multiple security requirements posed by various payment card organizations. Still PCI DSC is working to improve the maturity of standards and will release new versions of standard. PCI DSS may not be best security standard but it is really nice effort by Payment Card Industry Regulators.