I was getting a little excited when I read this article over at NetworkWorld about how the PCI council will be releasing a prioritized roadmap for companies facing compliance. It’s a great idea- instead of flogging companies with a massive list of security controls, it will prioritize those controls and list specific milestones.
Now before I get to the fun part, I want to quote myself from one of my posts on PCI:
Going back to CardSystems, a large majority of major breaches involve companies that were PCI compliant, including (probably) Hannaford. TJX is an open question. In many cases, the companies involved were certified but found to be non-compliant after the breach, which indicates a severe breakdown in the certification process.
Now on to the fun (emphasis added by moi):
Businesses that are compliant with PCI standards have never been breached, says Bob Russo, general manager of the PCI Security Standards Council, or at least he’s never seen such a case. Victims may have attained compliance certification at some point, he says, but none has been in compliance at the time of a breach, he says.
What a load of shit. With the volume of breaches we’ve seen, this either means the standard and certification process are fundamentally broken, or companies have had their certifications retroactively revoked for political reasons after the fact. As I keep saying, PCI is really about protecting the card companies first, with as little cost to them as possible, and everyone else comes a distant second. It could be better, and the PCI Council has the power to make it so, but only if the process is fixed with more accountability of assessors, a revised assessment/audit process (not annual), a change to real end-to-end encryption, and a real R&D effort to fix the fundamental flaws in the system, instead of layering on patches that can never completely work.
You could also nominate me for the PCI Council Board of Advisors. I’m sure that would be all sorts of fun.
Seriously – we can fix this thing, but only by fixing the core of the program, not by layering on more controls and requirements.
Reader interactions
10 Replies to “A Very Revealing Statement by the PCI Council”
‘[…] of their being listed as in good standing with the council at the time of the breach. From Securosis.com: Businesses that are compliant with PCI standards have never been breached, says Bob Russo, general […]
[…] Almost simultaneously, the PCI Security Standards Council was staunchly asserting that no company that suffers a breach can be considered PCI compliant – regardless of their being listed as in good standing with the council at the time of the breach. From Securosis.com: […]
Chris,
Nice! Calling out Rich! Seriously, it’s a good question and one which has been difficult to answer over the last couple of years. Obviously, prior to CA 1386 and the other state variants of that law, 100% went unreported. Even with disclosure laws on the books, over the last 4 years many wiggled through the ‘‘encrypted records’’ loophole where they had encrypted the data in it’s primary repository, so were not responsible to disclose. There are still many cases where companies, in concert with ‘‘ongoing law enforcement investigations’’ choose not to disclose as they are in a legal gray area. And some were compromises to key executives passwords, and because they could never emphatically prove who accessed the data because of incomplete audit trails, they choose to not report over telling the world “we really have no clue what happened”. Over the last two years, I have had some minimal access to some investigator sources that say a lot of the breaches are not reported due to ongoing internal or external investigations. As some were being ‘‘honey-potted’’ to see if they could learn more about the attacker from future attacks, these ‘‘internal investigations’’ could conceptually go on forever. My feeling is we are closer to 40% disclosure than 20%, but as Rich said, not a hard number, but just a small sampling of companies and investigators we have spoken with over time. Thanks for the question.
-Adrian
Chris,
Bit distracted with a new baby, but short answer is interviews with various people around the industry… especially those involved with incident response. Definitely not a hard metric. For example, investigators who tell me only 20% of their clients report a breach, and the rest accept the risk of not disclosing,
Just an estimate, and nothing I’‘d stake my devalued house on.
@Rich: “based on some research” you say breaches are 80% unreported. What research?
respond to comment by David Navetta Feb 26, u said that compliant doesn’‘t mean good security, the question is which solution u use. now we installed dotdefender which gives pci 6.6 compliance and real time website protection.
[…] PCI Compliant and they were breached! I have come across a great discussion around this statement at securosis.com. I think they are making some very valid points over there so I’m not going to repeat them […]
PCI DSS is an attempt to mitigate the risks that face a symptom of a broken system. As long as credit card payments require personal information to be collected and accept users (barely) authenticating themselves, we will be running after the facts.
Until the credit card companies insist on developing and deploying good authentication, and eliminate the need to collect personal information, valuable information will be collected and stored and it will remain a target for Bad Guys.
As you point out, there is a disconnect between who receives the benefits of such a system (consumers) versus who will be required to put in a large amount of the required resources to create such a system (businesses).
[…] Rich: A Very Revealing Statement by the PCI Council. […]
David Navetta’s comment about point-in-time compliance being a red herring is right on the money. It is more important for data holders to focus on satisfying the objective of the standard than it is to focus on satisfying the certification process itself.
The objective of the standard is to “encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally.” It is hard (actually, impossible) to argue that the objective is poor, so if point-in-time certification is not the best way to achieve the objective, then reconsideration of the certification process is in order.