Login  |  Register  |  Contact

Some Follow-Up Questions for Bob Russo, General Manager of the PCI Council

I just finished reading a TechTarget editorial by Bob Russo, the General Manager of the PCI Council where he responded to an article by Eric Ogren Believe it or not, I don't intend this to be some sort of snarky anti-PCI post. I'm happy to see Mr. Russo responding directly to open criticism, and I'm hoping he will see this post and maybe we can also get a response.

I admit I've been highly critical of PCI in my past, but I now take the position that it is an overall positive development for the state of security. That said, I still consider it to be deeply flawed, and when it comes to payments it can never materially improve the security of a highly insecure transaction system (plain text data and magnetic stripe cards). In other words, as much as PCI is painful, flawed, and ineffective, it has also done more to improve security than any other regulation or industry initiative in the past 10 years. Yes, it's sometimes a distraction; and the checklist mentality reduces security in some environments, but overall I see it as a net positive.

Mr. Russo states:

It has always been the PCI Security Standards Council's assertion that everyone in the payment chain, from (point-of-sale) POS manufacturers to e-shopping cart vendors, merchants to financial institutions, should play a role to keep payment information secure. There are many links in this chain -- and each link must do their part to remain strong.

and

However, we will only be able to improve the security of the overall payment environment if we work together, globally. It is only by working together that we can combat data compromise and escape the blame game that is perpetuated post breach.

I agree completely with those statements, which leads to my questions.

  1. In your list of the payment chain you do not include the card companies. Don't they also have responsibility for securing payment information and don't they technically have the power to implement the most effective changes by improving the technical foundation of transactions?
  2. You have said in the past that no PCI compliant company has ever been breached. Since many of those organizations were certified as compliant, that appears to be either a false statement, or an indicator of a very flawed certification process. Do you feel the PCI process itself needs to be improved?
  3. Following up on question 2, if so, how does the PCI Council plan on improving the process to prevent compliant companies from being breached?
  4. Following up (again) on question 2, does this mean you feel that a PCI compliant company should be immune from security breaches? Is this really an achievable goal?
  5. One of the criticisms of PCI is that there seems to be a lack of accountability in the certification process. Do you plan on taking more effective actions to discipline or drop QSAs and ASVs that were negligent in their certification of non-compliant companies?
  6. Is the PCI Council considering controls to prevent "QSA shopping" where companies bounce around to find a QSA that is more lenient?
  7. QSAs can currently offer security services to clients that directly affect compliance. This is seen as a conflict of interest in all other major audit processes, such as financial audits. Will the PCI Council consider replacing restrictions on these conflict of interest situations?
  8. Do you believe we will ever reach a state where a company that was certified as compliant is later breached, and the PCI Council will be willing to publicly back that company and uphold their certification? (I realize this relates again to question 2).

I know you may not be able to answer all of these, but I've tried to keep the questions fair and relevant to the PCI process without devolving into the blame game.

Thank you,

—Rich

Posted at Thursday 27th August 2009 4:04 pm Filed under:

Previous entry: Database Assessment Solutions, Part 5: Operations and Compliance policies | | Next entry: Friday Summary - August 28, 2009

Comments:

If you like to leave comments, and aren't a spammer, register for the site and email us at info@securosis.com and we'll turn off moderation for your account.

By Bob Russo  on  09/01  at  08:13 AM

Hi Rich,

Thanks for taking the time to review my post on Search Security, and for giving the issue of payment security a lot of thought. You seem to address the issue pragmatically, which is exactly what is called for when trying to raise the awareness of PCI standards and the security of organizations globally. 

I wanted to take some time to respond to your open letter, and provide you additional clarity to a few of your questions. Before I address your letter, I’d also like to let any of your readers know that they can feel free to submit any future suggestions on how the standards should evolve directly to me at brusso@pcisecuritystandards.org. This participation - and the questions we get from stakeholders on a daily basis– helps us to continue to evaluate the Standards and their implementation and start planning for the next generation of requirements in the PCI DSS.

You are correct, Rich, in that it is in the best interest of every member of the payment chain, including the payment brands, to better secure payment data. We, as a whole, can’t be oblivious to the data breaches we have seen and the gaps in security that have allowed these breaches to occur.

Now, there are a lot of finger pointers and arm-chair quarterbacks out there who simply point out challenges and think that helps.  There are also those who ignore the present and immediately jump to their vision of “Card Security in the Year 2020.” Let me be direct here: The Council was formed to do one thing: protect the data in the system as it exists now.

I can’t say that being PCI compliant would make an organization immune from the quickly evolving nature of today’s threats, but I can tell you it is the best available foundation for a payment data security strategy that companies have. In my post event conversations with breached entities and forensics investigators, I have still yet to see a PCI compliant organization get breached. Yes, certification is another matter, but what seems to be occurring is that organizations are going into this process with the mindset of passing a twice yearly physical. As you point out, this can be counterproductive for security efforts. You can’t stay in shape by exercising twice a year - you have to exercise daily. This is the same for an organization’s security – you have to live and breathe it – all day, every day - and you have to build a strong foundation of security in your organization.

Regarding the compliance certification process and questions on QSA’s, we’ve really worked hard to address many of your questions in the Council’s QSA Quality Assurance program. This program was set up to directly address some of our constituents concerns which you echo in your post. Through this program, we have provided clearer guidance on interpretations of the standards, as well as instituting a review process for QSA assessments. There is also the opportunity for assessed companies to provide feedback to the Council on a specific QSA’s performance, including if they feel they were under product sales pressure which goes against our ethical outlines for QSAs.  We believe this is increasing the level of accountability of QSAs and is helping to elevate the thoroughness, prudence and documentation of the assessment process. A number of QSAs have already gone through the Council’s remediation process to improve the effectiveness and quality of their PCI assessments. Some have even exited the business as a result.  Again, this is a transparent process; we list all of these firms on our Website and follow up with them regularly.

I want to point out here though, that when any entity engages a QSA, they need to understand that this is a partnership. The mutual aim of that partnership should be to work together secure cardholder data. Not to get a certificate.  This mistaken mentality is what can lead to data compromise. Cutting corners or costs, no matter how much pressure you’re under in today’s environment, is unlikely to get you your desired end goal. As I’ve said many times, it’s not enough to focus on compliance then file away your certificate. The assessment process should help a company understand their risks and help them think about how to counter them on a daily basis. As one of our Board of Advisors always puts it; “You are only one control change away from being out of compliance.”

For those interested in understanding what the QSA is looking for in an assessment, we have also opened up PCI Standards Training designed to help merchants improve preparation for on site assessment, understand what is involved in creating their own internal assessment capability and establish an internal compliance program to help them sustain PCI DSS security practices and compliance when the assessment process is completed. This training should help engender the sense of partnership that must exist between QSA and assessment company to improve security.

I hope this answers a few of your questions, Rich, but if you have more, I would be happy to elaborate further in the future. Next time I’m in AZ or we’re at the same event, let’s get a drink.

Best,

Bob Russo

By Rich  on  09/01  at  10:05 AM

Thanks Bob- I really appreciate your willingness to hop over here and respond.

While you didn’t cover everything, I think this is still very informative. It’s clear now, per your statement, that your mandate is somewhat limited and any discussions of changing the payment system are beyond the charter of the PCI Council. (That’s not a criticism, nothing you can do about it).

I realize I might be a bit of an armchair quarterback, but I try to be a constructive one (and I’ve been advising clients on these issues since before PCI existed).

I’m still concerned with some of the process-oriented issues involved in certification. The fact that most of the big breaches involved organizations that were certified, yet non-compliant, is concerning. I’ve made some suggestions in the past on possible ways to address this that aren’t overly burdensome on companies, which might make good fodder if we ever do meet up at an event.

I’ll fight my normal nature and keep this concise- thanks for the response, and I look forward to having a full discussion down the road… we have plenty of beer here at Securosis Central, a much better selection than the White House.

By LonerVamp  on  09/09  at  02:46 PM

Wow, how’d I miss this gem of a post? I’m slacking off!

“I can’t say that being PCI compliant would make an organization immune from the quickly evolving nature of today’s threats, but I can tell you it is the best available foundation for a payment data security strategy that companies have. In my post event conversations with breached entities and forensics investigators, I have still yet to see a PCI compliant organization get breached.”

I think the above snippet illustrates what I think are two issues with PCI DSS.

I want to preface that I like PCI DSS. But I also look at PCI from what I consider a proper scope. It’s not perfect. It’s not going to ensure some sort of absolute security. It’s not a point-in-time, but a process. And so on. This all helps me properly value PCI DSS as an excellent bottom-line and an excellent guide as a foundation.

1) The PCI DSS isn’t marketed enough, up front, that it is not the end-all-be-all guide to absolute security. Most of us in the industry understand this quickly, and many of us let it sink in enough that it won’t cloud our judgements. But far too many businesses and persons do not truly “Get” security, and they get it into their head that PCI DSS is the Bible. Allowing that misperception is bad. So, big bonus for being up front about that above!

2) I understand you probably *need* to say that no one who has been PCI compliance has been breached, or your card companies may get mad or the courts start handing down penalties. But I really think it is wrong to be so up front with that. It either means there is a big disconnect on what we all think “PCI compliant” means, or it is a position that you can never truly be disproved. In other words, one could *always* say that a company that is breached wasn’t PCI compliant just because of the fact that they were breached. So, people like me see that as a really bad, preachy, rosy-colored way of saying that PCI has value. But yes, I understand there may be a legal/political reason to state such things. I’d just rather not see it. :) To me, the argument whether a company is PCI compliant or not at a breach is irrelevent.

Thanks for posting, even if you don’t see this follow-up comment. Just being open and accessible is bonus, plus it really helps fill in the gaps between journalism soundbytes. PCI has done more than maybe anything to improve security and/or our security consciousness. Whether I agree with all statements or not, doesn’t diminish in my views on PCIs real value with all the hyperbole stripped away.

By Bob Russo  on  09/10  at  06:04 PM

LonerVamp,

Thanks for taking the time to share your perspective.  We both agree that there needs to be continued emphasis of the PCI DSS as a foundation for a strategy that focuses on security, rather than compliance; and you are also right that despite us advocating this, it often isn’t the part of the interview that makes it into news stories on the topic. The editing process is not always kind!

When I talk about the Standards, what I really want people to focus on is that the DSS is quite simply   your best line of defense against a data breach. By keeping up to date and vigilant in your security processes you are extremely unlikely to be breached.

Again, thanks for the contribution. It is real dialogue, like this (and well outside the screaming headlines), that helps evolve the mindset and actually make progress on improving payment security globally.

Regards,
Bob Russo

Page 1 of 1 pages

Name:

Email:

Remember my personal information

Notify me of follow-up comments?

Submit the word you see below: