The Last Watchdog

1. 

   This analogy comes from Evan Schuman, of StorefrontBacktalk.com:

   The last point in your story was perfect, which is that, despite all its flaws (and it has a TON of flaws), it is unquestionably better than what was there before. And that’s a good thing.

   The analogy I like to use is the USDA Food Pyramid. A few years ago, when they preparing to update it again, there was the usual argument at Agriculture about how far to go, with some nutritionists arguing for sticking beef in the candy segment. The counter to that argument was pretty much the PCI argument: “Look, this is a voluntary program. Our sole purpose is to improve the American diet. If we put something out there that’s too extreme, people will simply ignore it. If we do it gradually, we have a much better chance of improving the American diet.” That’s what PCI is. To get compliance, they have to propose things that aren’t overly strenuous.

   Also, PCI has a huge burden: It has to apply to all retailers. When thinking of data security rules that apply to both Wal-Mart and the one-location Phil’s Bait Shop down the street, it’s a fairly small list. The fact that they have to post one list of rules for everyone forces them to be fairly general.

   Comment by bacohido — 9/23/2009 @ 9:56 am

2. 

   Hey Byron,

   Great post. It makes me wonder if “Security” is dying and if “Risk Reduction” and “Compliance” are becoming the new King and Queen.

   -Joe

   Comment by Joe — 9/23/2009 @ 9:57 am

3. 

   An interesting piece, but I’m not sure what this says that isn’t already widely known, at least in retail circles.
   Your first bullet (“strategic initiative”) makes sense because PCI procedures are by definition highly tactical, just like Sarbanes-Oxley procedures or HIPAA forms. So the fact that most retailers don’t see it as strategic makes perfect sense. I’d be more interested in hearing from the 29 percent who said that they thought it was strategic and asking them how they’re defining strategic.

   The “55 percent only focus on credit card information” is sort of confusing as the story is about PCI and PCI doesn’t have anything to do with anything OTHER than credit (and debit) card data.

   The third bullet (about the risk of dealing with smaller companies) is certainly true, but it’s also quite well known. There’s also the counter point that the most sophisticated cyberthieves can’t make any money unless they’re grabbing more than 5 million names so smaller retailers are simply of minimal interest. Smaller thieves certainly would view small retailers as easy marks, but that’s more likely to be physical attacks (as in swapping their card swipe terminals with fake ones or similar in-person attacks along the lines of breaking into a file cabinet of receipts at night).
   Also, those PCI compliance numbers are highly suspect. (Consider this example: http://www.storefrontbacktalk.com/securityfraud/largest-retail-pci-compliance-now-at-77-percent/)
   That last point is key because Visa is wonderful at this sleight of hand. For example, they say that no PCI compliant retailer has ever been breached. They can say that because they automatically declare that any retailer who is breached must, therefore, have been certified incorrectly. Ergo, they were never compliant. George Orwell would have been pleased.

   Comment by Evan Schuman — 9/23/2009 @ 11:21 am

4. 

   The information in the Imperva study, as well as those contained in the Verizon reports, are also related to and corroborated by a recent study performed by Veracode in partnership with Forrester Research. That study revealed that exploitation of vulnerabilities in software is a major cause of data breaches. 62% of companies in the survey responded that they have experienced security breaches which exploited vulnerabilities in software in the last 12 months.

   So, how does this relate to PCI? Well there seem to be several systemic issues that are hindering the mass adoption and successful implementations of PCI. Certainly one of them is the notion that some enterprises would rather incur fines than get meaningless (and costly) “rubber PCI stamps” that are increasingly being provided by some of the PCI consultancies. In some cases, many of these shops have become “hybrid” certification houses that offer additional security products and services such that they have lost much of their “independence” and sacrificed their ability (or willingness) to do security assessments deep enough that they are meaningful and thus leave the enterprise exposed. Solutions providers such as Trustwave and others not only provide PCI compliance check boxes, but also try to sell additional security products and services to that company using PCI as a wedge. This situation has in some cases become significant enough that a conflict of interest has developed between the enterprise and the certification company that enterprises would rather pay fines than pay money for poor quality assessments. There also seems to be a cultural component at play here as well where it is very difficult to implement change in these organizations. Therefore, PCI compliance is more of a “point in time” certification rather than a continuous improvement program. Without proper implementation and maintenance of a PCI program, strong-willed hackers will often win at some point simply by trying harder. Lastly, and this should not be a surprise given the services Veracode provides, achieving a true understanding of code level security quality across the entire software infrastructure is absolutely critical. According to the Forrester study, exploitation of vulnerabilities in software is a major cause of data breaches. Many companies can identify their business-critical applications, yet few know the security quality of those applications. Only 13% of respondents knew the security quality of all their business applications which they deem critical to the enterprise.

   I look forward to the day where PCI compliance is both meaningful and made possible to be adopted by the mass marketplace.

   Comment by Matthew Moynahan — 9/23/2009 @ 11:27 am

5. 

   I was on the Webcast from the Heartland CEO about their breach. Heartland were NOT simply going through the motions with PCI. They were investing in security – at the same rate before and subsequently. He was not simply paying lip-service to the standard.

   Security is just a fiendishly difficult thing to achieve – the defender must prevent all attacks whilst the attacker only needs to get lucky once.

   I agree that PCI is not taken seriously by all firms – and many hide behind the words of the standard rather than embracing the spirit of it. For those firms who become passionate about security, PCI does not limit those wishing to go beyond the standard, and just maybe, it will force the introduction of the concepts of data security to boards who would have otherwise been oblivious.

   Yes – beef up PCI! Don’t run it down.

   Comment by Steve Moyle, Secerno — 9/23/2009 @ 11:34 am

6. 

   Hi Byron,

   I agree wholeheartedly about your position on PCI. Inherently it is band-aid on a gigantic open wound that needs a much stronger solutions.

   Outside of the United States, banks and credit card processors have implemented security measures such as smart credit cards and PIN generators for consumers. These measures make the recording of credit card information useless to hackers and criminals.

   Unfortunately the credit card industry here in the USA felt it was cheaper to force PCI on merchants and fine them for breaches instead.

   The idea of protecting personal sensitive data (such as driver license information and Social Security card numbers) via strong encryption with good access control systems makes sense.

   In this area, as well as the implementation of basic controls such as: strong ever changing privileged account passwords (we do that at http://www.liebsoft.com ), data encryption, and segregation of duties, PCI does perform a useful role in helping companies get more secure.

   In the current situation of limiting breaches, PCI does help, but stronger technology must be implemented by the credit card issuers, otherwise the criminals will always have the upper hand.

   On the other hand, companies must also pay attention to internal threats and implement their own control systems that make sure that employees only have access to sensitive information on a “need to know” basis and only for a limited period of time, with all accesses audited to sensitive systems. Most organizations only implement such proper controls after they have been attacked and have lost substantial sums of money.

   The failure to implement corporate security is akin to someone having to get into a car accident and “nearly losing the lives” to believe in and begin wearing a safety belt and follow the law when driving. Just as in driving, security requires a company to drive defensively and implement controls for both external and internal threats .

   PCI is a good start, but only a tiny part of the security posture needed to secure their assets.

   Philip Lieberman
   President
   Lieberman Software Corporation
   http://www.liebsoft.com

   Comment by Philip Lieberman — 9/23/2009 @ 1:34 pm

7. 

   This just shows how companies are accepting risk instead of mitigating it. The numbers in these reports are absolutely astounding.

   Is this the case of too many companies who would rather pay the fine than implement security measures? In other words, they would rather pay the $500,000 fine than implement a $2,000,000 security rollout. Is the focus lost on consumer protection in lieu of the bottom line for board members?

   One can only hope that PCI continues to grow beyond its current standards and will be addressed with stiffer penalties.

   Comment by Jason Miller — 9/23/2009 @ 1:43 pm

8. 

   Most external auditors won’t laugh in public about PCI, but they don’t gush with praise about it either.

   We are likely have additional reports of organizations in compliance with PCI but that have suffered the loss or theft of customer data, credit card information included. The reasons for this include:

   1)PCI is only a snapshot of the practices at the time of the assessment
   2)PCI is an assessment, not an audit

   So what can you do if you have pass a PCI audit and want it to mean something?

   Avoid getting trapped by the chimera of checking off the PCI assessment-box and change practices for the long-haul.

   You can find which practices are really driving a difference in, Guidance for Best Practices in Information Security and Audit (no advertising, no gimmicks) at http://www.itpolicycompliance.com today

   Other useful information sources:
   CobiT and COSO can be found at ISACA: http://www.isaca.org
   PCI: http://www.pcisecuritystandards.org
   ISO: http://www.iso.org
   NIST: http://www.nist.gov
   ITIL: http://www.itil-officialsite.com

   Best,
   Jim Hurley
   Managing Director
   IT Policy Compliance Group

   Comment by Jim Hurley — 9/23/2009 @ 2:36 pm

9. 

   To summarize comments presented by several others, PCI compliance can never be the goal of the organization but, compliance is an outcome of a sound security program that is periodically assessing the risk of all forms of internal and external data breaches.

   The PCI data security standard has heightened security awareness but, the council’s ongoing development of the standard is a clear signal that it can not be relied upon as an organizational framework for a complete network and data security program. Processes and systems need to be put in place that allows organizations to enforce both corporate and security policies.

   Providing a mechanism for strong consumer authentication (as the chip and PIN system in Europe has done) is a critical first step in making the payments system more secure.

   Just as important is deploying strong authentication for both logical and physical access to an institutions employees, partners and suppliers. This is the front line in preventing unauthorized access to data whether it is credit/debit card numbers or any other sensitive information.

   David Berman
   Senior Manager, Solutions Marketing
   ActivIdentity, Inc.
   http://www.actividentity.com

   Comment by David Berman — 9/23/2009 @ 5:42 pm

10. 

    The PCI Data Security Standard is a great start in helping institutions ensure they take appropriate measures to protect customer information. However, for many organizations, PCI has become a classic case of confusing the means with the end. A holistic enterprise security program requires addressing four key elements: protecting the infrastructure, protecting the information, effective systems management, and developing and enforcing IT policies.

    On this last point, developing and enforcing IT policies, considerable research has been done that shows that companies with a structured governance approach – starting with a clear and well communicated set of security objectives, then leveraging a framework like PCI or ISO as guidance to define set of internal controls to cover procedures as well as IT infrastructure settings, that they then test frequently – have the both the best security and compliance outcomes. Even more compelling is that these very same companies that have implemented a IT governance programs have at the same time lowered their overall security and compliance costs by using enterprise software solutions to address the full scope of the business problem, particularly controls automation.

    So, in short, Kramer is absolutely right – if your focus is on achieving PCI compliance, that’s exactly what you’ll get, and odds are, you won’t be secure. What companies should be focused on instead, however, is developing a holistic enterprise security program.

    Aaron Aubrecht
    Sr. Director, Product Management
    Symantec

    Comment by Aaron Aubrecht — 9/23/2009 @ 9:19 pm

11. 

    Hey Byron

    Great topic and nice coverage. It’s certainly got a lot of people’s attention. I have to agree with some of the comments above but disagree with some of the others.

    - First, PCI is a great step forward and yes it’s ambiguous and not perfect. But, I am attending the PCI council meeting this week and I am very pleased to see the council’s openness on receiving feedback so they can improve the standard. I think it’ll only get better.

    - Before PCI, most of the regulatory standards including GLBA, SOX, HIPAA, SB1386, AB 1950, etc. were even more vague. At least PCI had some teeth in it.

    - There were a few problems with some of the fundamental behind the PCI requirements. Most of the emphasis was on network and wireless while 80% of attacks are occurring through Web applications!!

    - Of course, companies will get the quickest way to compliance even if security is not achieved. It’s no different then companies getting their accounting books audited and auditors giving them a passing grade even if they were not. Think of PWC missing Satyam’s billions of dollars in discrepancy

    - Heartland was “duped” by their service provider. Heartland’s intentions were right. They were paying a service company a lot of money and relying on their expertise and they didn’t do their job.

    - Finally, I always say, that if companies focus on securing their infrastructure first by prioritizing the most vulnerable and easily exploitable areas first, compliance (not just with PCI but all other standards) will fall in place. Doesn’t work the other way.

    Thanks
    Mandeep

    Comment by Mandeep Khera — 9/23/2009 @ 11:26 pm

12. 

    Byron – great article with frustrating ramifications. I think you’ve nailed two key issues: (1) for larger, more mature enterprises, PCI is not a complete security practice; and (2) for smaller companies, the risk (and impact) of a data breach is very much prevalent today and only going to get worse.

    For larger enterprises, I agree with Mr. Kramer that PCI is only about protecting what the credit card companies want to protect…it’s a watered down version of broader standards such as ISO 27002 for sure, but the good news is that any CIO/CTO can implement PCI without involving (and transforming) the entire organization (like ISO would require). It can also be funded as an IT mandate (CIO to CEO: “We must do this to continue taking Visa and MC”). I really don’t ever see PCI as being elevated to “strategic” in nature, nor does it have to.

    The same is not true for more holistic approaches such as ISO, et al: a “good idea” as promulgated by IT security gurus can easily become a strategic imperative if your business partners require compliance to even start doing business together.

    And yet, even these holistic standards only extend the efficacy of PCI specifically in the areas of data at rest and supporting business processes. Further, the industry certainly is rallying around protecting data “on the go” (i.e. USB key chains, etc)…but the growing threat is theft of credentials and other sensitive information in real time — in other words, data “in use.” The market and standards community has few truly scalable solutions to address this gap. But there are a few, and I mean things that go beyond physical devices hooked to endpoints, or “bound to fail” practices such as long or continually changing passwords.

    And this brings me to the second group (small businesses): I couldn’t disagree more that there is less risk for customers dealing with smaller companies due to their low volume of valuable data (see earlier comment from one of your readers). In fact, Verizon’s 2008 report drives home just that point: 95% of all data breaches occurred in businesses with 10 to 100k employees. In other words, cyber criminals are equal opportunity thieves. And I believe it’s only going to get worse: while any single “small company” may not have the requisite volume of data to make it a target of cyber criminals, it is becoming increasingly cheap and easy to assemble a botnet to attack multiple smaller targets, and harvest/aggregate inventory of valuable information for later re-sale.

    As recently reported in the NY Times (http://bits.blogs.nytimes.com/2009/08/20/how-hackers-snatch-real-time-security-id-numbers/), we’re already seeing this type of behavior in the hacker community. And the beauty of technology is that it’s inherently repeatable, scalable, and unit costs just decrease over time — so it’s only a matter of time before the masses of less sophisticated cyber criminals get their hands on “commercial grade” real-time data harvesting tools and software.

    Can industry step up?

    Best regards,
    Tim Brown

    Comment by Tim Brown — 9/25/2009 @ 10:01 am

13. 

    Hey Byron
    Very interesting post.
    Forrester report from last year asked IT security organizations about the importance of different IT security issues, the report indicates that regulatory and compliance ranks in the 7th place (out of 11). I believe this finding is also aligned with this post statement. But even though most organizations consider the PCI 12 requirements as “checkboxes” that the IT is require to tick – PCI has a very positive impact on organizations security. One benefit of PCI for organizations is that PCI takes into consideration high and real security risks that are not always been viewed as a high priority by most organizations but should be considered so. One example is PCI requirement 6.6 that discusses web applications security. According to the Verizon Business report mentioned in this post only 5% of organizations comply with PCI requirement 6 but according to the IBM X-Force H1 2009, report from August this year: “The most prevalent type of vulnerability affecting servers today is unquestionably vulnerabilities related to Web applications.“ furthermore, googling “SQL injection attacks” one of the most common techniques to hack into web applications will result in many large and well publicized reports about companies that have been hacked using this web oriented technique. The Heartland Payment Systems breach that is mentioned in Byron’s post is a good example of a costly breach that was done by using SQL injection technique.

    Thanks
    Eran Livne
    Product Marketing Manager
    Radware

    Comment by Eran Livne — 9/26/2009 @ 3:09 am

14. 

    Here we are a year on after the original post. To be honest, PCI compliance has not really made the headlines in the UK.

    Of course, the major bluechips have implemented
    the standards are are compliant.

    Getting the message accross to SME’s and small startups is like banging my head against a wall sometimes.

    People don’t realise the implications non compliance would have on their business. Of course, once a breach occurs – its too late!

    Comment by Al — 3/13/2011 @ 10:04 am

RSS feed for comments on this post.

Leave a comment