Login  |  Register  |  Contact

A Very Revealing Statement by the PCI Council

I was getting a little excited when I read this article over at NetworkWorld about how the PCI council will be releasing a prioritized roadmap for companies facing compliance. It's a great idea- instead of flogging companies with a massive list of security controls, it will prioritize those controls and list specific milestones.

Now before I get to the fun part, I want to quote myself from one of my posts on PCI:

Going back to CardSystems, a large majority of major breaches involve companies that were PCI compliant, including (probably) Hannaford. TJX is an open question. In many cases, the companies involved were certified but found to be non-compliant after the breach, which indicates a severe breakdown in the certification process.

Now on to the fun (emphasis added by moi):

Businesses that are compliant with PCI standards have never been breached, says Bob Russo, general manager of the PCI Security Standards Council, or at least he's never seen such a case. Victims may have attained compliance certification at some point, he says, but none has been in compliance at the time of a breach, he says.

What a load of shit. With the volume of breaches we've seen, this either means the standard and certification process are fundamentally broken, or companies have had their certifications retroactively revoked for political reasons after the fact. As I keep saying, PCI is really about protecting the card companies first, with as little cost to them as possible, and everyone else comes a distant second. It could be better, and the PCI Council has the power to make it so, but only if the process is fixed with more accountability of assessors, a revised assessment/audit process (not annual), a change to real end-to-end encryption, and a real R&D effort to fix the fundamental flaws in the system, instead of layering on patches that can never completely work.

You could also nominate me for the PCI Council Board of Advisors. I'm sure that would be all sorts of fun.

Seriously -- we can fix this thing, but only by fixing the core of the program, not by layering on more controls and requirements.

—Rich

Posted at Friday 27th February 2009 12:26 pm Filed under: (15) Comments • (0) TrackbacksPermalink

Previous entry: Workers "stealing company data"? | | Next entry: Netezza Buys Tizor

Comments:

If you like to leave comments, and aren't a spammer, register for the site and email us at info@securosis.com and we'll turn off moderation for your account.

By natron  on  02/25  at  09:35 PM

I think his BS comment is saying none were compliant in reality, while ignoring the fact that they were all compliant on paper.

By Andy Steingruebl  on  02/25  at  10:26 PM

A few points.

1. Given that PCI compliance is a cert for a point-in-time, its entirely possible that a company was in compliance at the time they got their certification and then stopped applying patches, turned off their IDS, etc.  This can happen with a yearly audit cycle.

2. I’‘m not sure I understand the general security industry frustration about PCIs controls and who they protect.  I hear some people bashing them because they are smoke and mirrors not achieving anything, and other folks arguing that they are ok controls but not strict enough.

Given that the banks and/or processors (rather than consumers in most cases) bear the costs of most CC breaches (not other PII) isn’‘t it reasonable that they should be designing the controls?  Sure there can be fraud against the stolen CC data, but the CC user/owner doesn’‘t really foot the bill for that right?

I’‘m not quite understanding why so many people get their knickers in a twist about the security controls in PCI from a customer safety perspective.  Sure from a "I don’‘t want to waste my money as a business on ineffective security controls" perspective, but as a regular CC user I don’‘t have a beef with PCI.

Am I misreading your post, or missing something else?

By Mike Rothman  on  02/25  at  10:35 PM

Amen Rich. Well said. I literally read exactly the same article with exactly the same hope and read that quote by Russo and thought exactly the same thing. What a crock of shit.

This is the kind of behavior that just validates my worry that PCI will become irrelevant. They are not accepting the fact that there may be some issues with the control set, rather blaming the processor (or retailer as it may be) for screwing things up.

Things are not going to get better for PCI unless they accept responsibility. Or make it very clear that PCI compliance is a myth. You may be compliant the day of the assessment, but you aren’‘t the next day.

Mike.
http://securityincite.com

By Nick  on  02/26  at  01:20 AM

@Andy Steingruebl

Could it be because it forces a company to fork over quite a bit of money for wizbang software/appliances/hardware.
With this alone my feeling is that if you want to play the game then it comes at a cost.

The downside is that there are fairly clueless individuals running IT/Software operations from a technical point of view.
And when they begin governing how to cut cost, the implementers end up with some really crappy shit they have to manage.

By Peter de Rooij  on  02/26  at  05:12 PM

Whether Heartland was or was not compliant at the time of breaching is beside the point.  As far as I understand, they had a valid compliance certificate, so evidently, the PCI process did not work well enough. 

But I think the real problem is deeper than all of this. 

You can make certain types of card transactions based on static data alone (Name, PAN, Expiry, CVV).  That makes this data valuable.  Secondly, you have to provide all of that data to the merchant for each transaction.  That makes the data ubiquitous.
Together, that ensures that there will be breaches. 

Good security and risk management will reduce the rate at which that happens, but won’‘t stop it.  PCI prohibits storage of some data, and mandates better security practices elsewhere.  But the basic fact remains: ubiquitous, valuable data, and therefore breaches. 

So in my estimate, if PCI works well, including the right redistribution of liabilities and incentives, the best to be expected is that the whole system remains viable.  But breaches will continue.  And my gut feeling says at quite a rate, even if PCI and the accreditation process work very well.

I don’‘t believe we can expect much more than that until the root cause is removed.  Hopefully some brilliant minds are working on an easy to use, easy to deploy, and cost-effective way to pay without spreading valuable static data all over the place.

Of course, until that time, none of this takes away the need to fix any issues with PCI and the certification process…

By David Morgan  on  02/26  at  05:27 PM

David Navetta’s comment about point-in-time compliance being a red herring is right on the money.  It is more important for data holders to focus on satisfying the objective of the standard than it is to focus on satisfying the certification process itself.

The objective of the standard is to "encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally."  It is hard (actually, impossible) to argue that the objective is poor, so if point-in-time certification is not the best way to achieve the objective, then reconsideration of the certification process is in order.

By Friday Summary: Feb 27  on  02/26  at  11:02 PM

[...] Rich: A Very Revealing Statement by the PCI Council.  [...]

By Kees Leune  on  02/27  at  05:41 PM

PCI DSS is an attempt to mitigate the risks that face a symptom of a broken system. As long as credit card payments require personal information to be collected and accept users (barely) authenticating themselves, we will be running after the facts.

Until the credit card companies insist on developing and deploying good authentication, and eliminate the need to collect personal information, valuable information will be collected and stored and it will remain a target for Bad Guys.

As you point out, there is a disconnect between who receives the benefits of such a system (consumers) versus who will be required to put in a large amount of the required resources to create such a system (businesses).

By Security Ninja Blog | PCI council devises a 12-ste  on  02/27  at  07:46 PM

[...] PCI Compliant and they were breached! I have come across a great discussion around this statement at securosis.com. I think they are making some very valid points over there so I’m not going to repeat them [...]

By John sreeder  on  02/28  at  10:13 AM

respond to comment by David Navetta Feb 26, u said that compliant doesn’‘t mean good security, the question is which solution u use.  now we installed dotdefender which gives pci 6.6 compliance and real time website protection.

By Chris Walsh  on  03/01  at  11:47 PM

@Rich: "based on some research" you say breaches are 80% unreported.  What research?

By rmogull  on  03/04  at  01:35 PM

Chris,

Bit distracted with a new baby, but short answer is interviews with various people around the industry… especially those involved with incident response. Definitely not a hard metric. For example, investigators who tell me only 20% of their clients report a breach, and the rest accept the risk of not disclosing,

Just an estimate, and nothing I’‘d stake my devalued house on.

By Adrian Lane  on  03/04  at  07:35 PM

Chris,

Nice! Calling out Rich! Seriously, it’s a good question and one which has been difficult to answer over the last couple of years.  Obviously, prior to CA 1386 and the other state variants of that law, 100% went unreported. Even with disclosure laws on the books, over the last 4 years many wiggled through the ‘‘encrypted records’’ loophole where they had encrypted the data in it’s primary repository, so were not responsible to disclose.  There are still many cases where companies, in concert with ‘‘ongoing law enforcement investigations’’ choose not to disclose as they are in a legal gray area. And some were compromises to key executives passwords, and because they could never emphatically prove who accessed the data because of incomplete audit trails, they choose to not report over telling the world "we really have no clue what happened".  Over the last two years, I have had some minimal access to some investigator sources that say a lot of the breaches are not reported due to ongoing internal or external investigations.  As some were being ‘‘honey-potted’’ to see if they could learn more about the attacker from future attacks, these ‘‘internal investigations’’ could conceptually go on forever.  My feeling is we are closer to 40% disclosure than 20%, but as Rich said, not a hard number, but just a small sampling of companies and investigators we have spoken with over time.  Thanks for the question.

-Adrian

By  on  04/01  at  07:57 AM

[...] Almost simultaneously, the PCI Security Standards Council was staunchly asserting that no company that suffers a breach can be considered PCI compliant - regardless of their being listed as in good standing with the council at the time of the breach.  From Securosis.com: [...]

By  on  04/01  at  11:52 AM

‘[...] of their being listed as in good standing with the council at the time of the breach.  From Securosis.com: Businesses that are compliant with PCI standards have never been breached, says Bob Russo, general [...]

Page 1 of 1 pages

Name:

Email:

Remember my personal information

Notify me of follow-up comments?

Submit the word you see below: