The Green Sheet Online Edition
May 11, 2009 • Issue 09:05:01
Extending security beyond assessments
The recent security breaches at a number of financial institutions that were Payment Card Industry (PCI) Data Security Standard (DSS) compliant have created much controversy and prompted discussion of the standard itself. People have asked, If an organization was validated as PCI compliant, how could a thief have stolen cardholder data from that organization?
The answer lies in the difference between compliance and security.
There's no denying the PCI DSS has helped merchants, ISOs, processors and the card brands protect cardholder data. Because of the PCI, more merchants are taking security into consideration than ever before. The decrease in storage of prohibited data among merchants investigated by Trustwave is just one example of this progress.
Another illustration of the value of the PCI DSS is that hackers have had to use more sophisticated methods to steal sensitive data. This is largely due to merchants doing a better job of protecting cardholder data because of the PCI DSS.
Consistency is critical
Unfortunately, for many organizations, compliance has devolved into a mere checklist completed once a year. The challenge lies in making the data security best practices outlined in the PCI DSS a part of an organization's everyday routine.
Compliance does not stop with validation, whether it's via the PCI Self-Assessment Questionnaire (SAQ) or an on-site assessment. Compliance validation is not the end or ultimate goal; the security of cardholder data is.
PCI compliance is a means to an end. It helps secure more networks more effectively to help prevent the theft of consumer card information.
An organization should not institute PCI DSS controls simply to have something to show an assessor on the day the assessor shows up or when completing the annual SAQ.
True security transcends an assessment, so the due diligence required in maintaining the PCI DSS must continue every day - year in, year out.
For example, requirement 10.6 mandates an organization "review logs for all system components related to security functions at least daily." An assessor can confirm that an organization's policies and procedures call for the review of these logs.
Beyond that, the organization must acknowledge that daily review of these logs is a best practice and ensure designated staff members complete those actions daily.
Secure applications are a start
Another similar issue is the belief among some merchants that if they're using a payment application listed by Visa Inc. or the PCI Security Standards Council (SSC as compliant with the Payment Application (PA) DSS, they are secure. One security control, policy or procedure will not make a network secure.
Nor can security ever be perfect. No security standard will ever be absolutely effective because hackers will research the standard to determine what newer, more sophisticated security technologies they need to learn in order to exploit weaknesses in the system.
This does not imply the quest for security is futile. It means real security requires constant re-evaluation and remediation of any issues uncovered.
As hackers' techniques evolve to circumvent better security, the PCI SSC and participating organizations work to update the standard via the lifecycle process for any changes to PCI.
Again, security is not an exercise in perfection. Security is a constant pushing and pulling between legitimate organizations that do their best to protect themselves and the malicious cyber criminals who change their methods to thwart those financial organizations' efforts.
Security goes beyond certification
Trustwave finds that the best use of the PCI compliance process is to consider the standard a baseline for best practices to support a broader security program.
For example, PCI DSS requirement 11.2 calls for internal and external network vulnerability scans at least quarterly. However, with the regular release of new susceptibilities and the development of malware and techniques to exploit them, it's recommended that financial institutions scan their networks as frequently as possible.
You can meet PCI DSS compliance requirements by scanning just once a quarter, but a diligent organization wants to discover vulnerabilities as they arise, rather than find out at the end of a quarter that a vulnerability left their network open to attack for months. Organizations must perform due diligence beyond the card brands' annual validation actions to protect their brands and customers.
Bob Russo, General Manager of the PCI SSC, has stated repeatedly that the PCI SSC is not aware of a single case of payment card data theft in which the breached organization was compliant at the time of the breach. Trustwave's findings in the investigations of over 400 cases of payment card compromise support that statement.
A forensics investigation includes a post-breach PCI DSS assessment, and Trustwave investigators have not encountered a single case in which the victim organization was compliant at the time of the breach.
Diligence is necessary
That's not to say the violated organization hadn't gone through an on-site assessment or filled out the SAQ, but rather the processes, procedures and controls put in place at that time were not maintained.
In some cases, processes or procedures were no longer followed. In other cases, a particular piece of technology was reconfigured improperly or fell into disrepair.
True payment card data security must transcend the assessment and become a part of a business' everyday operations. Only proper diligence on the part of an organization that processes, transmits or stores cardholder data can bring that idea to fruition.
Of course, that is no easy task, and many security providers offer a number of automated solutions to help merchants monitor their security and compliance status continuously.
Log monitoring can provide an automated, permanent solution to fulfilling requirement 10.
Done properly, it scans any system on which it is installed and reports on prohibited data storage, system configurations and security policy settings to provide continuous insight into a system's compliance and general security status.
The PCI DSS applies in different ways to different organizations. When an organization begins work on its compliance projects, it's important to remember the PCI DSS and compliance validation are not the ends; they are a means to protect cardholder data and institute a larger, more thorough security program.
As Chief Marketing Officer of Trustwave, Michael Petitti oversees all of the company's marketing initiatives. He also serves on the Merchant Risk Council's Board of Advisers, the Electronic Transaction Association's Risk and Fraud Committee and on The Green Sheet Inc. Advisory Board. Call him at 312-873-7291 or e-mail him at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.