Update : Yes, I know it’s the QSAs not ASVs that certify. Dumb mistake on my part.
Yesterday I posted an analysis of the Hannaford breach in which I made a contentious statement.
In other words, PCI is worthless.
Some of the commenters weren’t too pleased with this statement, an example from @Mike:
That said, to discount the program as “worthless” makes me question how informed the person saying it really is about this topic.
I’ve been digging into PCI since before it was PCI (Visa CISP) and talked with all sides, from struggling retailers, to credit card processors, to auditors, to the big guys themselves. You might not like my conclusions. You might think I’m an idiot. But I’m definitely a well informed idiot.
Now back to PCI.
I admit that PCI isn’t completely worthless. But let’s not call something that’s degraded into a very costly awareness nudge an effective industry standard for protecting cardholder information. Pretty much everyone involved, with whom I have discussed PCI, admits it’s not very effective- especially considering the cost. A few points and suggestions for fixing the system:
- PCI-DSS was established to transfer risk from the credit card companies to the retailers and processors. There is a lot the credit card companies could do to reduce risk on the processing side, but they have instead chosen to push it onto the retailers and processors.
- Going back to CardSystems, a large majority of major breaches involve companies that were PCI compliant, including (probably) Hannaford. TJX is an open question. In many cases, the companies involved were certified but found to be non-compliant after the breach, which indicates a severe breakdown in the certification process
- No ASV has been dropped from PCI, even after certifying non-compliant companies. There is no accountability in the system.
- ASVs are allowed to offer services to the companies they certify, which is a built-in conflict of interest. They should be held to the same standard as financial auditors where the audit function and compliance assistance/services/consulting cannot come from the same auditor.
- Many auditors certify compensating controls that are clearly ineffective.
- Due to lack of accountability in the system, companies push ASVs for the lowest price possible to achieve “compliance”. This price pressure leads to cheap certification, and the approval of inadequate controls mentioned in point 5. PCI-DSS is moving to a checkbox that doesn’t necessarily reflect any level of security, and the credit card companies are okay with that since they can just later find the company in violation after a breach, yank certification, levy fines, and push all costs to the retailer.
We can fix PCI, but right now it’s very ineffective at stopping real breaches. The standard needs to adapt faster; there needs to be accountability and separation of duties at the auditor level; and the credit card companies need to adjust the processing system to reduce fraud- not just set an incomplete standard for retailers.
Maybe not worthless, but considering the cost we sure as heck should be getting more out of it. Some companies use PCI to improve their security, but many others do as little as possible to comply, and thus security isn’t increased in any meaningful way.
<
p style=”text-align:right;font-size:10px;”>Technorati Tags: PCI
Reader interactions
11 Replies to “Is PCI Worthless?”
[…] Now before I get to the fun part, I want to quote myself from one of my posts on PCI: […]
if VISA or the Card companies did the audits themselves and backed them up, PCI would be worth something. Reading all the disclaimers on VISA’s validated payment applications list just shows that PCI is bullshit:
"Although Visa reviews the QPASC-developed data and information, Visa does not independently confirm such data or information nor does Visa perform any tests or analysis of the functionality, performance or suitability of any of the applications and/or products listed. Visa makes no endorsement or recommendation of applications or products, or of their respective developers or distributors. Furthermore, Visa makes no warranties, guarantees or representations that any of the applications or products will meet your requirements for performance or functionality, that the applications or products will be free from errors or malicious code, or that the applications or products will be compatible with any other systems or applications. Any and all representations or warranties, including any and all representations and warranties made by the payment application vendor, are disclaimed by Visa."
The main problem with PCI-DSS is who is working as QSAs and how technical they get with their assessments. I know plenty of auditors who know process but are weak enough on technology to accurately identify whether or not the technical controls are relevant to the risk, process, or standard.
Honestly, as an Information Security professional, I look at the Hanniford issue and ask: Why were these servers able to access the entire internet, where were the access lists and firewall egress filters? Why were these cardholder systems not properly restricted?
Cardholder systems were compromised but the disclosure would have been prevented (or at least reduced) by PCI-DSS requirements. Hannaford was not PCI-DSS compliant at the time of the breach. A properly-trained and capable QSA, someone who works in Information Security and not in the audit world, would have failed them.
Worthless? No.
Potential to be a huge liability nightmare? Yes.
The Legal Implications of PCI:
My problem is with the system itself: (1) it should not be so hard to be able to figure out how to become compliant; and (2) a merchant should not be liable for problems inherent in the system (as opposed by simply not complying with PCI).
In other words, if a merchant has bad security and suffers a breach, they should be liable. However, if a merchant follows PCI, but the PCI standard itself has an ambiguity or the merchant relied on a interpretation by VISA or the PCI Council, they should not be liable. Right now the liability cards are stacked against the merchants (and may filter down to the QSAs — although they may be protected contractually).
More in this article by yours truly: http://infoseccompliance.blogspot.com/2008/02/legal-implications-risks-and-problems.html
From my blog post on Building a security plan:
… let’s try and find out how the security program was implemented. A plan can be broken down into three major aspects, and several areas of specialty, however my list is not exhaustive:
* Strategic (Enterprise architecture, inventory/asset management, capital planning)
* Operational (risk management, risk analysis, certification standards, compliance)
* Tactical (scan & patch, pen-testing, exploit writing, hardening standards)
and
In the … section above, “Break down your plan”, I list three aspects of a security plan: strategic, operational, and tactical. If your security plan is largely tactical, you’ll begin to see patterns of vulnerabilities and software weaknesses. If it’s too strategic/operational and not backed up with enough tactics, you may end up with some losses. Many security program frameworks do not include enough information on tactics, or they don’t address the right tactics.
PCI-DSS is just that, too operational to be significant by itself. If you build a security plan around PCI-DSS (or if it’s the only thing you”ve got), or even as the ISMS in an ISO27K plan — your organization is bound to have "soft spots". When adversaries come looking for those areas of weakness, then you”re out of luck. They are going to find them, and more than likely — they are going to abuse them.
Wait until PA-DSS comes out and becomes implemented. It may fill more missing gaps, but it will also likely leave open some important ones. PCI-DSS is a maturity leveler. It’s not particularly useful for reducing the rate or criticality of data breaches, especially not by itself. It’s also extremely expensive for what it does implement.
I have also been involved since the early VISA CISP era. I”ve operated as an ASV, and have spoken to many of the top QSAC”s. I have not been a witness to an incident involving a company under PCI-DSS, but they are the ones that make the news headlines. People can argue all they want, but the reality is that PCI-DSS does not prevent breaches to credit card data and associated PII in any meaningful way.
Aw crud, that’s a dumb mistake and I know better- fixing’,
I agree for the most part, especially with #1. It’s time the card companies bit the bullet and fixed the root cause of the problem: the antiquated and inherently insecure magnetic stripe technology.
As for your knowledge of PCI, I beleive you DO need to hit the books some more. You”re using ASV where you should be using QSA. ASVs do not and can not "certify" merchants as compliant or non-compliant. That’s the job of the QSA.
Is it worthless? No. Is it flawed? Yes. It can and will be improved, but only through the compromises. If Hannaford is a pre-auth or settlement breach, it may finally bring change to that area, despite people saying it’s a problem. Heck, PCI won”t change the DSS to remove hashing as a technique (unsalted that is) despite many papers showing it as heavily flawed. But if someone does breached a hashed database and reverses it, I bet it gets removed. 90% or more of the DSS is based on actual breaches and how they think it could have been prevented.
Speaking of the ASV process, I tend to agree. Just look at all the "HackerSafe" sites that Scan Alert (an ASV) certified that have problems (see youtube). And to make it worse, PCI requires a certified ASV for scans, but anyone can do a penetration test which takes a helluva lot more skill. At least they kind of got it right with 6.6 and stating web app reviews have to be done by a company that specializes in them.
But again, despite all these criticisms, I am the last person to say PCI sucks. It does lay out a lot of key ingredients for a good security program and does reach out to so many companies that never did. Give it some credit. Would you rather it never happened? Would you rather the merchants did SOX or HIPAA and make their own risk-based decisions? At the end of the day, PCI is still the best standard or regulation for security and it is the most prescriptive and has the least wiggle room. So don”t throw out the baby with the bathwater. No matter what, there will never be patch for human stupidity.
Hi Rich
Point #1 you have dead to rights. The only addition I would say is that PCI is designed to protect the Visa and Mastercard brands. In that sense, it has been highly effective–probably too effective.
If you stop and think about it, it gets downright macchiavellian.
>>
But let’s not call something that’s degraded into a very costly awareness nudge an effective industry standard for protecting cardholder information.
<<
I suspect PCI is worthless in the same way that SOX is worthless WRT IT controls. Too much room left for interpretation by implementors and no real enforcement.
But the flipside is an overly specific requirements set that is out dated the moment it is drafted, and tends to become the playground of "sponsoring" vendors and their technology de jour…
I”d take it a step farther and say that I personally can”t think of a single attempt at regulated information security or IT controls or whatever
. o O (dare I say governance, no, I”d better not)
that is long term worth the paper it is printed on.