Bloggers not for easing PCI DSS
May 11th, 2007 Posted in Banking, PCI DSS
…thought this was interesting:
—–[snip]—–
It was hard to brush aside comments made by First Data CISO Phil Mellinger, who suggested at a recent forum that the Payment Card Industry’s Data Security Standard (PCI DSS) should be overhauled to eliminate subjectivity, ease restrictions and help more merchants comply. After all, Mellinger did develop the precursor to the current standard.
But this week I haven’t found many people who agree with him. During a panel discussion on identity fraud in New York Tuesday, I asked a couple financial practitioners if the rules should be eased to help more merchants comply. Kevin Dougherty, senior vice president of information services at Orlando, Fla.-based CFE Federal Credit Union, summed up the consensus in the room when he said, “It’s our responsibility to meet the bar that’s been set.”
Many industry professionals seem to share that attitude, if a recent scan of the blogosphere is any measure.
Let’s start with SearchSecurity.com’s own Security Bytes blog, where we ran some comments from those who have followed our coverage of Mellinger’s talk.
Chris Noell, an executive analyst, CISSP and QDSP, wrote that Mellinger’s suggestion for a simpler standard that rises over time would have been a good idea at one point, but that given where we are today, it would be a step backwards.
“Over the last four years, numerous merchants and service providers have told me that they are reluctant to do anything until the very last minute because the card brands have a way of changing their standards, invalidating compliance investments,” he wrote. “Lowering the bar now would just confirm this suspicion and cause an erosion of credibility. The 35% of Level 1 merchants who are currently compliant would feel like they had wasted money and would be understandably bitter.”
Rick Hayes wrote that Mellinger is missing the boat on PCI. “Obviously, there is an issue with merchant compliance,” he wrote. “This is compounded by the fact that generally it takes anywhere from 18-24 months to actually meet the requirements of the ‘dirty dozen.’”
But, he added, relaxing PCI DSS will not have any effect other than to increase the likelihood of more data breaches. “It certainly won’t mean that more merchants will become compliant,” he said. “What needs to be adjusted is the timeline, not the requirements. I don’t think anyone in their right mind would or should argue that implementing such basic tenants of security is a bad thing. That is really what PCI is about — basic security best practices.”
The Ambersail infosec blog offered a similar perspective. It expressed sympathy for organizations the size of First Data and said compliance must be tough for them. But lowering the compliance requirements isn’t the answer. In the end, the blog said, PCI DSS compliance demands the types of security procedures companies should already be taking.
“Compliance is tough for everyone, big and small,” the blog said. “And what we had before was, well, nothing really. Chaos.”
Moin Moinuddin, a self-described industry architect with Microsoft Corp., wrote in his ARC Thoughts blog that PCI DSS compliance is good for a company’s security and cost controls.
“For example,” he wrote, “a retailer who had never really done an internal assessment before now did this and [it] resulted in [the] consolidation of servers in the stores using [a] virtual server product. So this helps in reducing overall cost of maintenance in addition to improving security.”
The bottom line is that nobody is accusing Mellinger of giving up on PCI DSS or security. Many people agree the standard could use some changes. But they also believe companies are having trouble with PCI DSS because their security programs were lacking to begin with.
The last thing companies like that need is an easier ride to compliance.
—–[/snip]—–
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
8 Responses to “Bloggers not for easing PCI DSS”
By APM on May 13, 2007
In my opinion, there is nothing fundamentally wrong with the PCI DSS Standard. Some areas could do with less subjectivity and I think it would help if PCICo published a list of “acceptable standards” or acceptable sources of “best practice”. This would help the target organisations to understand what is and what is not acceptable from the compliance point of view.
One thing I do think needs to be improved is the support network. From my experience, Acquirers, QSAs and ASVs are not clear enough on what is compliant and what is not.
As an example, the company I work for had two test PCI Scans done by two different companies. They returned different results and when challenged, both said that their reports were accurate and had been “validated” by Visa / MasterCard. This is not helpful.
The other thing is the participation by the card schemes. So far, they seem to be passing everything off to the Acquirers without providing the Acquirers with the support they need.
Compliance IS tough and the problems for merchants at the moment is that a lot of them have not been involved in compliance requirements before. This does not mean that the requirements should be watered down but it does mean that people will need more support and assistance in the early months / years.
By Danny Lieberman on May 14, 2007
In response to the previous post from Andrew Mason I would have 3 comments:
1) PCI is a compliance checklist driven by regulator (VISA/MC) - the regulator has absolutely no idea about what your business situation or network setup is.
The standard itself was written over 5 years ago and may not be relevant for most. A case in point is a client who called me up the other day with a “PCI vulnerability related to LDAP” - I explained that they are using a version of Open Ldap that is not vulnerable - period. But - still the fear of non-compliance led the customer to shut down a port and cause a fair amount of damage to a production operation for absolutely no need at all.
2) The small-to-mid-size merchants can run these $10/months - I think they are basically next to worthless. You can get better results by using Nessus or simply shutting down all unnecassary services and patching your applications
The thought that a scanning service can help mitigate risk is a chilling thought for me. For the SME I would suggest an excellent piece of freeware called PTA - Practical Threat Analysis - the folks over at Control Policy Group have done a great job on automating ISO 27001 risk assessments - you can read about it here - http://www.controlpolicy.com/automatingiso27001implementations
and download PTA here - http://www.software.co.il/pta
3) The big guys like First Data don’t have any of my sympathy - they have the resources to do it it right but even they could benefit from using a first pricinciples threat analysis tool like PTA that makes them put on their thinking caps. Consider Choice Point - who were world -class secure and PCI compliant and got ripped off by a business partner - the PCI DSS doesn;t require background checks for reseller partners since its focus is primarily technical controls like TCP/IP ports and servers
My 2c
Danny
By Slavik on May 14, 2007
Who are we kidding here? PCI DSS is about safeguarding the confidentiality and privacy of credit card information. The version 1.1 update came about to address gaps in version 1.0 - real gaps. Making PCI DSS more palatable to laggards is not going to help them improve, it’s just going to let others get away with doing less.
What are they moaning about? Storing CC data is a privilege, not a birth right. Nobody is forcing companies to store this data - it’s just easier to do business. If companies can’t comply with minimal security standards, then they should not be handling CC data and should outsource that to those who can.
Unlike other regulatory compliance (e.g. HIPAA, SOX, GLBA), PCI DSS is not a law, it’s an industry standard. This gives it real commercial bite, the benefit of being easier to update, and luxury of being a lot more specific on the kind of procedures and tools companies need to employ in order to be compliant. Do we really want to do away with those advantages?
No, the issue here is not with the content of PCI DSS 1.1, it’s with the process of getting companies to comply. Here I do agree that a pass or fail approach is counter-productive, and that there should be clearer guidelines (the Audit Procedures and Reporting document) as to how one becomes compliant, perhaps also a best-practice “start up” guide, and stricter certification of 3rd party service providers who do the preparation and auditing.
By APM on May 15, 2007
“Storing CC data is a privilege, not a birth right.”
Hear, hear!
“Nobody is forcing companies to store this data - it’s just easier to do business.”
Hear, hear!!
“If companies can’t comply with minimal security standards, then they should not be handling CC data…”
Hear, hear!!!
“…the issue here is not with the content of PCI DSS 1.1, it’s with the process of getting companies to comply.”
Hear, hear!!!!
Best comments I’ve read in a long time. Particularly the last one, as I made similar in my post above.
By Danny Lieberman on May 20, 2007
Slavik,
Well put.
But, you cannot get people to comply without showing how PCI DSS can give business value by effectively reducing risk.
Any bank or card processor knows that processing cards is ongoing exercise in risk management - yet Visa and MC have ignored their own core business and turned information security into a checklist compliance thing.
PCI DSS is about mitigating the risk of unauthorized disclosure of credit card numbers (on the assumption that once disclosed they can be used for fraudulent transactions) and PII (on the assumption that with a name, SSN and DOB a bad buy can steal an identity).
The problem is that the PCI DSS is an all or nothing list of controls:
A merchant has no way of calculating his risk profile in PCI.
He has no tool for knowing if implementing the controls will reduce the damage to his assets (business reputation, customer list, charge backs from the bank if he leaks data etc) because:
a) the standard has no notion of assets
b) the standard has no notion of threats
c) the standard has only an implied notion of vulnerabilities
d) the standard has no agreed upon standard to calculate the risk exposure of a merchant or processor in terms of assets, threats and vulnerabilties.
I don’t even want to relate to the joke called “5.0 Vulnerability Management” which requires you to have anti virus - obviously written in by Symantec
My 2c
Danny
By Zeev Solomonik on Oct 22, 2008
Dear Colleagues,
I would like to inform you that on October 2008 we released a major update of PTA - Practical Threat Analysis Professional Edition (1.54 - build 1206). The latest version introduces a revised reporting system which enables better aggregation and sorting of threat model data and analysis results. The new mechanism allows users to define simple Tags Filter queries which filter the data shown in reports according to the tags attached to the threat’s model entities: Assets, Threats, Vulnerabilities and Countermeasures.
You are invited to review the latest changes as well as to download and install the freeware risk assessment tool from the following link: http://www.ptatechnologies.com/latestupdate.htm.
I’ll be happy to have your feedback and answer your questions on any issue.
Best regards,
Zeev Solomonik
The PTA Team
http://www.ptatechnologies.com
By Tina Nelson on Nov 28, 2008
Sadly, the only threat that would really motivate a Level 4 merchant is “You will lose your merchant account if you don’t comply”.
VS, MC, AX, DS. are too afraid of losing business to put the hammer down, when it’s really THEIR responsibility to their card holders. For example: to save THEMSELVES money, they give their card holders long expirys, when they have to realize that this allows data to be breached but not abused for what could years.
And how is a Level 4 merchant trained in other security measures (thinking that just because their payment application and network is compliant ~ so they are, also)? Our next security article rant is going to be entitled “How a $30K security overlayment was defeated by 23 cents worth of pencil and paper”.
And, yes, storing card data is like driving a car or serving alcohol in a commercial establishment ~ all privileges, not rights. Maybe storing card data should be a licensed event, like driving and bartending.