Data Breaches Show PCI DSS Ineffective

Data Security | Guest Opinion | Danny Lieberman, Thursday, December 10, 2009

Tags: Data Security, pci data security standard, Security Breaches

A recent Ponemon survey (pci-dss-survey-key-findings-final4) found 71% of companies don’t consider PCI as strategic, though 79% had experienced a breach.

Are these companies assuming that a data security breach is cheaper than the security?

How should we understand the Ponemon survey. Is PCI DSS a failure in the eyes of US companies?

Let’s put aside the technical weaknesses, political connotations and commercial aspects of the PCI DSS certification franchise for a second.

Consider two central principles of security – cost of damage and goodness of fit of countermeasures

a) The cost of a data security breach versus the cost of the security countermeasures IS a bona-fide business question.If the cost of PCI certification is going to be 1M for your business and your current Value at Risk is only 100k – then PCI certification is not only not strategic, it is a bad business decision.

b) Common sense says that your security countermeasures should fit your business not a third-party checklist designed by a committee and obsolete by the time it was published.

The fact the Ponemon study shows that 71% of businesses surveyed don’t see PCI as strategic is an indication that 71% have this modicum of common sense.

The other 29% are either naive, ignorant or work for a security product vendor.

Common sense is a necessary but not sufficient condition If you want to satisfy the two principles you have to prove 2 hypotheses: Data loss is currently happening.

* What data types and volumes of data leave the network?
* Who is sending sensitive information out of the company?
* Where is the data going?
* What network protocols have the most events?
* What are the current violations of company AUP?

A cost effective solution exists that reduces risk to acceptable levels.

* What keeps you awake at night?
* Value of information assets on PCs, servers & mobile devices?
* What is the value at risk?
* Are security controls supporting the information behavior you want (sensitive assets stay inside, public assets flow freely, controlled assets flow quickly)
* How much do your current security controls cost?
* How do you compare with other companies in your industry?
* How would risk change if you added, modified or dropped security controls?

If PCI is a failure, it is not because it doesn’t prevent credit card theft; there is no such animal as a perfect set of countermeasures.

PCI is a failure because it does not force a business to use it’s common sense and ask these practical, common-sense business questions.

Comments (2)

Comments

I am literate

Wed, 2010-02-17 04:30 — Paul Rowe (not verified)

My comments did have paragraphs and structure before the blog engine improved it.

Making sense

Wed, 2010-02-17 04:29 — Paul Rowe (not verified)

These are some of the best comments I have seen. The PCI SSC has made every regulatory mistake in the book. These are not functional requirements, accompanied by safe harbor alternatives. There is no provision for dealing with limitations of existing products and, as this commentor has said, there is precious little support for the effectiveness of the required measures. It's all pretty much conventional wisdom. That has some value, but we all know it includes all the mythology as well. Password changing is the easy shot: frequent changes result in less security, according to actual studies. The whole definition of "transmit cardholder data" is vague. The practitioners are applying all sorts of interpretations. As I read the standard, my hole-in-the-wall liquor store that uses an IP credit card processing machine needs to have scans and an incident response plan, tested annually. They transmit cardholder data over their network. I can find no exception whatsoever for that data being encrypted. Network segmentation gets a vague wave of the wand. And there are no definitions that permit exempting other portions of the network. I have only recently come to this interesting realm, but I have not found any explicit definition or exception that actually allows omitting any portion of a segmented network if encrypted cardholder data passes thru it. In fact, there is no exemption that removes the "cloud" from compliance obligations, only some exemplary stuff that suggests this might have been the intent. A literal reading prohibits use of the Internet, so I suppose we are supposed to contract for private links back to our processors. Any suggestion that a literal reading is not necessary sort of voids the whole standard. In the case of my current client, it looks like we have to put each store server in a secure area with a security camera and retain the images. Review logs daily. So forth and so on, doing everything a Fortune 500 company would do at every store location. It's pretty ludicrous. There is no process for clarification. No one is authorized to make an interpretation. The feedback process exempts itself from standards with the rigor of the regulation they have promulgated, and weighs heavily toward acquiring feedback from parties with strong conflicts of interest. And my real, overriding gripe is that this whole insane exercise is because the PC Industry itself is trying to use in-the-clear PANs as secret passwords. The PAN is analogous to a user ID, not a password. This is single-factor authentication. Merchants should only accept this incredibly burdensome anti-trust collusion if the industry is racing full speed ahead to implement PINs for all payment cards. I reckon we need to take that up with Congress.