PCI DSS is “Insufficient?”
October 8th, 2009 by hmark Posted in Compliance, PCI DSSIn a lawsuit filed in the wake of the Heartland breach, the plaintiff’s attorneys allege that Heartland knew that the PCI DSS was “insufficient” to protect cardholder data. Specifically, the lawsuit alleges, “Heartland executives were well aware before the Data Breach occurred that the bare minimum PCI-DSS standards were insufficient to protect it from an attack by sophisticated hacker…” They base this allegation on an earnings call held the November prior to the breach in which the CEO states that Heartland will “move beyond” the PCI DSS, which was the “lowest common denominator” of security. The lawsuit uses that statement as evidence that the “industry standard” for security is actually set much higher. This is a chilling turn of events for many in the Payment Card Industry.
Essentially the effect of such a suit, provided the judge finds in the plaintiffs’ favor, is to provide dis-incentives to organizations to implementing security controls beyond those that are detailed within the PCI DSS. Why would they, when the result is that the organization takes on additional liability? The result of such a decision would be to encourage companies to do the minimum to meet compliance with the PCI DSS, lest they inadvertently set a new “industry standard” to which they will be held accountable in the event of a data compromise.
Further, many organizations have chose to make a “core competency” of security as a marketing advantage. By implementing additional security controls, organizations can achieve a competitive advantage - attracting new customers through the use of security expertise and a greater level of data protection. This strategic business decision is now in jeopardy, as well.
As data security professionals, we’ve all encouraged our clients to go beyond compliance and get secure. As business professionals, now we must ask whether the risk of going beyond compliance outweighs the risk of being insecure. If an organization simply achieves compliance and is breached, they can apparently make the claim that “We were PCI DSS compliant.” However, if that company implements controls beyond the level of strict compliance, are they going to be held to a higher standard? If the case goes in favor of the plaintiffs on this point, it sets the cause of Payment Security back five years - a “one-size fits all” compliance program once again takes precedence over risk-based information security management.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
5 Responses to “PCI DSS is “Insufficient?””
By Nirav Shah on Oct 8, 2009
Not sure I agree that Heartland was PCI compliant at the time of the breach. In the document it mentions that “The sniffer
involved in the Data Breach reportedly targeted Heartland’s “authorization
switch,” which sends unencrypted account data from merchants to card
networks and then on to the FI Plaintiffs for approval.” that being said, how Heartland was PCI complaint. My understanding is that all credit card data in transit must be encrypted. So if the data was encrypted and then stolen that I can see that PCI is not effective. However, in that case the data was not encrypted.
Not sure if I am missing something.
By hmark on Oct 8, 2009
The point here is not whether or not Heartland was compliant, rather the crux of the post is around the impact should the court find that PCI DSS is not sufficient, or that, because Heartland had made a point of moving beyond compliance, they created a new de facto industry standard to which they will be held. As to the encryption portion, if data is transmitted via a private line then encryption is not required. Encryption in transit is only required over a public or untrusted network. So it is possible to be compliant while not encrypting data in transit - if the data is on a private network.
By Jack Daniel on Oct 14, 2009
I feel the problem with PCI does is not the fact that PCI DSS is insufficient, the real problem is that people view this baseline guideline for securing the network as proof that a network is secure. They assume that if they are fully compliant than they are fully secure when in reality this is not true. PCI is meant as a guideline for protecting a network and should not be used as a simple check list when creating a security strategy. I wrote more about this here: http://securityblog.astaro.com/2009/09/pci_compliance_and_security.html#more
By Sean Inman on Oct 16, 2009
I agree with Jack Daniel in that the problem lies with the organizations that are telling themselves their network and data are security because they completed the PCI Assessment and received a ROC.
I’t very obvious that organizations dont understand what an assessment truly is, and that PCI-DSS is a minimum set of security guidelines.
My suggestion is if you implement sound security controls appropriately, compliance will come as a the result.
By cmark on Oct 20, 2009
I think we likely all agree that compliance is not the end goal and compliance with any standard not security. It is easy to understand how companies feel that PCI compliance is equivalent to security when the PCI SSC and card brand repeatedly post statements such as: “The PCI SSC believes that the best way to protect cardholder data that is stored, transmitted and processed is by implementing the PCI DSS and remaining in full compliance.” The came directly from a statement posted on the council’s website from 4/28/08. The major card brands have also repeated this mantra many times. Although there are now statements that soften this message many merchants were led to believe that PCI compliance is security. The challenge we all have is changing this mindset.