PCI Shrugged final by anton1chuvakin


More Info
									                                      PCI Shrugged

                    Ben Rothke, CISSP, PCI QSA & Anton Chuvakin, PhD

Ayn Rand’s 1,100-page treatise Atlas Shrugged, deals with the concept of morality of
rational self-interest. When dealing with information security professionals, there is likely
no greater example of self-interest than the promotion of the PCI Data Security Standard
(DSS). PCI is a pragmatic standard which requires security-comatose organizations to wake
up to their responsibilities. And, while PCI is only required for companies dealing with
credit and debit card holder data, its relevance is germane for any organization.

The writers of this article are not suggesting PCI DSS is flawless. Yet even with its
limitations, is it better than the status quo of self-enforcement, or sadly, security
negligence. Information security professionals that should know better are attacking PCI
for baseless reasons as it is one of their most effective weapons for getting attention from
senior management.

Let’s now take a look at some of the issues/complaints leveled against PCI and see how
they really stack up.

PCI is a Distracter from Security and Risk Management?

A common complaint among those who have to deal with PCI on a regular basis is that
being compliant with the payment card standard takes away from the time, money and
effort that could be better spent on core information security issues. But we beg to
disagree; everything about PCI is core security. One cannot start dealing with advanced
security and technology topics, such as thwarting loss of intellectual property or insider
threat protection, before the PCI-prescribed basics such as network control, anti-malware,
system logging and more, are in place.

Previous data security efforts, such as Sarbanes-Oxley have encouraged a check-box
approach to compliance. However, those organization organizations that have developed a
formal information security program will find that PCI compliance is useful for security and
not an onerous distraction. The 6 PCI DSS control areas and 12 objectives all correspond to
good security practices. Therefore, if an organization has a mature security program, PCI
DSS will be easy. If they don’t, PCI DSS presents a perfectly logical place to start.

While an organization can attempt to pursue PCI DSS compliance for compliance sake
without regard to security, such irresponsible behavior can hardly be blamed on PCI DSS
standard itself. Thus, most security practioners who feel that PCI DSS detracts from
security probably do not understand PCI or the fundamentals of information security.
Data Breaches Prove PCI DSS Useless?

The Heartland breach has been used extensively by the media to show that PCI is
ineffective. While the dust has yet to clear from Heartland, let’s assume for a moment that
this large payment processor was 100% PCI compliant. True, we do know that Heartland
was most likely not complaint at the time of the breach, but bear with us. One should not
assume that compliance necessarily means that breaches can’t occur. A simpler
explanation applies here: they were breached despite being PCI DSS compliant.

It is surprising to the authors that security professionals will hold the view that following
an external guidance document can guarantee 100% security to any organization. A
person can walk out of a doctor’s physical in seemingly perfect health and drop dead before
their reach their car. That does not necessarily mean that the doctor was incompetent or
that medicine is a faulty science! In much the same way as a doctor cannot guarantee the
health of the patient, neither PCI nor any other regulatory guidance can guarantee that
there will not be breaches. 100% PCI compliance does not guarantee an entity is 100%
secure or even as secure as they need to be. Complexity is the worst enemy of security and
today’s payment systems and merchant networks are far too complex to be made bullet-
proof. If Heartland proves anything about PCI, it is that basic PCI DSS security is not

PCI is Just Security Theater?

Security Theater is a term popularized by BT CSO Bruce Schneier. Schneier used it
originally to describe what he see as the ridiculous TSA security measures in use at US
airports. This security theater gives the semblance of security, but with no real security
benefits nor risk reduction.

Can PCI be used as security theatre? Certainly it can. An organization can quickly follow
the letter and not the spirit of the standard just to get the auditors off their backs. They can
procure some security appliances and other hardware, find a QSA (Qualified Security
Assessor) who is not aggressive enough and pass their assessment.

However, if done correctly and seen as a security starting point rather than a compliance
end point, PCI is the antitheses of security theatre. PCI compliance is simply taking 12 core
areas of security and implementing them. PCI is not the alpha omega epitome of security; it
is meant to be used as a lower limit of security, not the ultimate goal.
Is PCI a Dumb Checklist?

No one likes peas. As children, Mom made us eat them. Maternal verification of pea
consumption was made by simply looking at the plate; an empty plate meant a belly full of
peas. Of course, Mom could have verified consumption by checking the pea infested floor,
or looking at the dog’s green teeth.

For many, PCI compliance means emptying their plates via yet another compliance
checklist. They often do the bare minimum in the hope that they can gain compliance and
make the QSA go away. At times they may even lie to their QSA or on the Self Assessment
Questionnaire (SAQ).

Organizations that are serious about security realize that checklist-based security is not the
same as risk-based security. Far too many organizations have an audit-based mentality
with the frame of mind of evading the auditor, as opposed to a risk-based mentality of
protecting the cardholder data.

PCI DSS is a good start of a security program, not its end. Checklists do have their place in
security, but a security program cannot be reduced to a checklist; attempts to pretend that
an organization can ’follow the checklist to become secure are guaranteed to fail. As Bruce
Schneier has noted: security is a process, not a product.

What the Future Holds?

At the Visa Global Security Summit in March, Ellen Richey, Visa Chief Enterprise Risk
Officer stated that despite recent data breaches at two payment processors, PCI DSS
remains an effective security tool when implemented properly. Recent events revealed
that breached organizations seemed to have disregarded PCI’s common sense security
guidance and were later removed from the list of compliant organizations. Thus, every
breach further proves the need for a comprehensive payment security standard.

Not only is PCI not dead, it is alive and well and maturing. In its current version 1.2, it is
still evolving, but it is clearly the best we have. The authors challenge anyone to find a
better standard or regulation. PCI has helped countless organizations to jumpstart their
security programs from scratch. It helped them move from security ignorance to first
addressing the basics and then to their own security nirvana.

Most of those who make baseless criticisms of PCI simply lack an understanding of the
fundamentals of information security and risk; they also lack an understanding that many
organizations need to learn to “stumble” with security before they can walk, much less run.

Most attacks against PCI are that we don’t like it or PCI is useless, rather than a direct
critique of the standard, or ways in which in can be improved.

PCI has taken the masses of security illiterate companies and forced many of them into
some semblance of security. It has showed given them 12 specific requirements in which
to start their security program. The biggest positive of PCI which fully justifies its
continued existence is that it shoved security in the faces of people who managed to live
through the wormy 90’s and the lossy 00s without paying much attention to information
security, under the guise of “it can't happen to us”.

PCI is not perfect; but neither is the world in which we live. PCI is not security pixie dust to
magically make security-ignorant organization secure despite itself. If an organization is
hell-bent on ignoring security, PCI will not make them security conscious. If they want to
become more secure, PCI DSS guidance can be of service to them.

Ben Rothke CISSP, QSA (ben.rothke@bt.com) is a Security Consultant with BT Professional
Services and the author of Computer Security: 20 Things Every Employee Should Know
(McGraw-Hill Professional Education) .

Dr. Anton Chuvakin is involved with PCI DSS compliance at Qualys. He is an author of a
book Security Warrior and a contributor to books "Know You books Enemy II",
"Information Security Management Handbook", "Hacker's Challenge 3", "PCI Compliance”,
"OSSEC HIDS" and others.

To top