The Green Sheet Online Edition
January 10, 2011 • Issue 11:01:01
Risk management and PCI
In recent articles I've talked about how Payment Card Industry (PCI) Data Security Standard (DSS) compliance needs to move toward a "risk management" approach to security.
Now is a good time to say more about what that approach is, how it works, and what its strengths and weaknesses are. Fortunately, all of this information is useful right now and isn't just preparation for some future requirement.
The core idea behind risk management is that you can't treat the idea of "safe" as if it's an on/off switch, with the "on" setting meaning no risk.
There is no such thing as no risk. We all spend every moment of our lives - our personal lives as well as our business lives - surrounded by risk: the chance of being affected by cancer, car crashes, corporate malfeasance or a troubled economy, for example. It's just that when the risk is small enough, we simply live with it.
This approach is pragmatic. If you get fixated on eliminating all risk, you'll fail. For example, card processing only exists because it makes business sense for merchants to offer it.
We're never going to sell security to merchants by saying, "Your transactions are now incredibly safe, and it only costs an extra $100 per transaction." The goal of PCI is to make cardholder data as safe as possible - in a way that is technically and economically viable.
The goals of risk management
With that in mind, the idea of "safe" transforms into "safe enough." Instead of attempting to eliminate the risk, we focus on whether we can reduce the risk enough so it can be relegated to the enormous list of dangers we just live with every day. In other words, we need to ask, can we manage the risk?
By the way, risk management doesn't do away with questions of how to handle security; the technical details still need to be addressed. It does provide ways to think about what to do, why to do it and in what order. It gives you the right way to start on these issues; the technical details then follow.
So if risk is the key idea, how do we manage it? For that matter, what is risk?
There are various ways to define or measure risk, but the basic idea is that it measures the degree to which you should be concerned about a particular danger or threat. You could say risk is a combination of likelihood and consequences, where likelihood equates to how likely it is a negative event will occur, and consequences relate to how much damage (financial, reputational or physical) a negative event would cause.
A threat such as nuclear war has a low risk rating (we hope) because even though the consequences would be very high, the likelihood is extremely low.
The risk associated with drinking lukewarm coffee is also low, but for a different reason: no matter what the likelihood, the consequences are minor.
If you store thousands of customer credit card numbers on a poorly secured system, the consequences and likelihood of a negative event are high, so the risk score is high.
Risk management advocates the following: don't spend time worrying about bad coffee or nuclear war. Focus on fixing the risks at the top of the list, such as those poorly protected card numbers.
A step-by-step approach
A risk management approach involves these steps:
- Identify assets that need protection. This includes more than just money and physical assets; it encompasses sensitive data, company reputation, legal standing and so on.
- Identify threats to those assets. Threats can include everything from hackers to embezzlement to accidental loss to earthquakes.
- Determine an acceptable level of risk for these threat-asset combinations. Remember the answer won't be zero: that isn't realistic. Think in terms of managing risk down to a reasonable level, not extinguishing it.
- Estimate the likelihood and the consequences of the threat actually happening; you can calculate a risk rating for any given threat scenario.
- Address threats with a risk rating above your determined acceptable level. This means applying additional security measures to bring down the likelihood or consequences, or both, of the underlying threat until the risk is acceptable.
Here are a few additional tips:
- Don't get hung up on trying to measure these factors too precisely. Analyze the details, but remember that risk issues are complicated and messy.
If you get too caught up in the hunt for specific, accurate numbers, things will quickly become impractical. You are better off having a reasonable and thoughtful estimate today than an accurate measurement next year.
- When it is time to fix a problem by reducing the risk to an acceptable level, your solution needs to reduce either the likelihood of the threat, or the consequences, or both. (If it doesn't affect either of those, what good is it?)
For example, fire insurance doesn't reduce the chances of a fire, but it does damp down the economic consequences. On the other hand, banning smoking in the workplace reduces the likelihood that people will smoke and thus the likelihood that a cigarette unattended will spark a fire.
In the context of PCI, encrypting a database can dramatically reduce the likelihood of an attacker obtaining sensitive information, while reducing the number of records stored reduces the consequences.
Addressing risk at the portfolio level
Risk management is a good idea at the merchant level, but it is more complicated and demanding than a simple follow-the-steps approach. The smart approach: don't dump the burden on merchants; provide them with guidance on risk management instead.
This approach demands better tools and analytics at the portfolio-owner level. It no longer makes sense to treat your merchants as a single group. Instead, learn to "slice and dice" your portfolio in intelligent ways and treat the different subgroups with different strategies.
With the right tools and analytics, you can make your overall portfolio safer, while at the same time making your PCI program more efficient and cost-effective.
Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. (www.panopticsecurity.com). He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at firstname.lastname@example.org or 801-599 3454.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.