Of course, the major bluechips have implemented
the standards are are compliant.

Getting the message accross to SME’s and small startups is like banging my head against a wall sometimes.

People don’t realise the implications non compliance would have on their business. Of course, once a breach occurs – its too late!

Thanks
Eran Livne
Product Marketing Manager
Radware

For larger enterprises, I agree with Mr. Kramer that PCI is only about protecting what the credit card companies want to protect…it’s a watered down version of broader standards such as ISO 27002 for sure, but the good news is that any CIO/CTO can implement PCI without involving (and transforming) the entire organization (like ISO would require). It can also be funded as an IT mandate (CIO to CEO: “We must do this to continue taking Visa and MC”). I really don’t ever see PCI as being elevated to “strategic” in nature, nor does it have to.

The same is not true for more holistic approaches such as ISO, et al: a “good idea” as promulgated by IT security gurus can easily become a strategic imperative if your business partners require compliance to even start doing business together.

And yet, even these holistic standards only extend the efficacy of PCI specifically in the areas of data at rest and supporting business processes. Further, the industry certainly is rallying around protecting data “on the go” (i.e. USB key chains, etc)…but the growing threat is theft of credentials and other sensitive information in real time — in other words, data “in use.” The market and standards community has few truly scalable solutions to address this gap. But there are a few, and I mean things that go beyond physical devices hooked to endpoints, or “bound to fail” practices such as long or continually changing passwords.

And this brings me to the second group (small businesses): I couldn’t disagree more that there is less risk for customers dealing with smaller companies due to their low volume of valuable data (see earlier comment from one of your readers). In fact, Verizon’s 2008 report drives home just that point: 95% of all data breaches occurred in businesses with 10 to 100k employees. In other words, cyber criminals are equal opportunity thieves. And I believe it’s only going to get worse: while any single “small company” may not have the requisite volume of data to make it a target of cyber criminals, it is becoming increasingly cheap and easy to assemble a botnet to attack multiple smaller targets, and harvest/aggregate inventory of valuable information for later re-sale.

As recently reported in the NY Times (http://bits.blogs.nytimes.com/2009/08/20/how-hackers-snatch-real-time-security-id-numbers/), we’re already seeing this type of behavior in the hacker community. And the beauty of technology is that it’s inherently repeatable, scalable, and unit costs just decrease over time — so it’s only a matter of time before the masses of less sophisticated cyber criminals get their hands on “commercial grade” real-time data harvesting tools and software.

Can industry step up?

Best regards,
Tim Brown

Great topic and nice coverage. It’s certainly got a lot of people’s attention. I have to agree with some of the comments above but disagree with some of the others.

- First, PCI is a great step forward and yes it’s ambiguous and not perfect. But, I am attending the PCI council meeting this week and I am very pleased to see the council’s openness on receiving feedback so they can improve the standard. I think it’ll only get better.

- Before PCI, most of the regulatory standards including GLBA, SOX, HIPAA, SB1386, AB 1950, etc. were even more vague. At least PCI had some teeth in it.

- There were a few problems with some of the fundamental behind the PCI requirements. Most of the emphasis was on network and wireless while 80% of attacks are occurring through Web applications!!

- Of course, companies will get the quickest way to compliance even if security is not achieved. It’s no different then companies getting their accounting books audited and auditors giving them a passing grade even if they were not. Think of PWC missing Satyam’s billions of dollars in discrepancy

- Heartland was “duped” by their service provider. Heartland’s intentions were right. They were paying a service company a lot of money and relying on their expertise and they didn’t do their job.

- Finally, I always say, that if companies focus on securing their infrastructure first by prioritizing the most vulnerable and easily exploitable areas first, compliance (not just with PCI but all other standards) will fall in place. Doesn’t work the other way.

Thanks
Mandeep

On this last point, developing and enforcing IT policies, considerable research has been done that shows that companies with a structured governance approach – starting with a clear and well communicated set of security objectives, then leveraging a framework like PCI or ISO as guidance to define set of internal controls to cover procedures as well as IT infrastructure settings, that they then test frequently – have the both the best security and compliance outcomes. Even more compelling is that these very same companies that have implemented a IT governance programs have at the same time lowered their overall security and compliance costs by using enterprise software solutions to address the full scope of the business problem, particularly controls automation.

So, in short, Kramer is absolutely right – if your focus is on achieving PCI compliance, that’s exactly what you’ll get, and odds are, you won’t be secure. What companies should be focused on instead, however, is developing a holistic enterprise security program.

Aaron Aubrecht
Sr. Director, Product Management
Symantec

The PCI data security standard has heightened security awareness but, the council’s ongoing development of the standard is a clear signal that it can not be relied upon as an organizational framework for a complete network and data security program. Processes and systems need to be put in place that allows organizations to enforce both corporate and security policies.

Providing a mechanism for strong consumer authentication (as the chip and PIN system in Europe has done) is a critical first step in making the payments system more secure.

Just as important is deploying strong authentication for both logical and physical access to an institutions employees, partners and suppliers. This is the front line in preventing unauthorized access to data whether it is credit/debit card numbers or any other sensitive information.

David Berman
Senior Manager, Solutions Marketing
ActivIdentity, Inc.
http://www.actividentity.com

We are likely have additional reports of organizations in compliance with PCI but that have suffered the loss or theft of customer data, credit card information included. The reasons for this include:

1)PCI is only a snapshot of the practices at the time of the assessment
2)PCI is an assessment, not an audit

So what can you do if you have pass a PCI audit and want it to mean something?

Avoid getting trapped by the chimera of checking off the PCI assessment-box and change practices for the long-haul.

You can find which practices are really driving a difference in, Guidance for Best Practices in Information Security and Audit (no advertising, no gimmicks) at http://www.itpolicycompliance.com today

Other useful information sources:
CobiT and COSO can be found at ISACA: http://www.isaca.org
PCI: http://www.pcisecuritystandards.org
ISO: http://www.iso.org
NIST: http://www.nist.gov
ITIL: http://www.itil-officialsite.com

Best,
Jim Hurley
Managing Director
IT Policy Compliance Group

Is this the case of too many companies who would rather pay the fine than implement security measures? In other words, they would rather pay the $500,000 fine than implement a $2,000,000 security rollout. Is the focus lost on consumer protection in lieu of the bottom line for board members?

One can only hope that PCI continues to grow beyond its current standards and will be addressed with stiffer penalties.

I agree wholeheartedly about your position on PCI. Inherently it is band-aid on a gigantic open wound that needs a much stronger solutions.

Outside of the United States, banks and credit card processors have implemented security measures such as smart credit cards and PIN generators for consumers. These measures make the recording of credit card information useless to hackers and criminals.

Unfortunately the credit card industry here in the USA felt it was cheaper to force PCI on merchants and fine them for breaches instead.

The idea of protecting personal sensitive data (such as driver license information and Social Security card numbers) via strong encryption with good access control systems makes sense.

In this area, as well as the implementation of basic controls such as: strong ever changing privileged account passwords (we do that at http://www.liebsoft.com ), data encryption, and segregation of duties, PCI does perform a useful role in helping companies get more secure.

In the current situation of limiting breaches, PCI does help, but stronger technology must be implemented by the credit card issuers, otherwise the criminals will always have the upper hand.

On the other hand, companies must also pay attention to internal threats and implement their own control systems that make sure that employees only have access to sensitive information on a “need to know” basis and only for a limited period of time, with all accesses audited to sensitive systems. Most organizations only implement such proper controls after they have been attacked and have lost substantial sums of money.

The failure to implement corporate security is akin to someone having to get into a car accident and “nearly losing the lives” to believe in and begin wearing a safety belt and follow the law when driving. Just as in driving, security requires a company to drive defensively and implement controls for both external and internal threats .

PCI is a good start, but only a tiny part of the security posture needed to secure their assets.

Philip Lieberman
President
Lieberman Software Corporation
http://www.liebsoft.com

Security is just a fiendishly difficult thing to achieve – the defender must prevent all attacks whilst the attacker only needs to get lucky once.

I agree that PCI is not taken seriously by all firms – and many hide behind the words of the standard rather than embracing the spirit of it. For those firms who become passionate about security, PCI does not limit those wishing to go beyond the standard, and just maybe, it will force the introduction of the concepts of data security to boards who would have otherwise been oblivious.

Yes – beef up PCI! Don’t run it down.