Information Security Blog

HomeInformation Security BlogPCI Compliance Ain’t Information Assurance

PCI Compliance Ain’t Information Assurance

This post is largely the product of a great email from Mosi Platt who heads up our audit practice area …

Robert Carr, the CEO of Heartland Payment Systems,  had some very candid and controversial thoughts relating to the Payment Card Industry Data Security Standard (PCI-DSS), the Qualified Security Auditors (QSA) who certified their environment as PCI Compliant before their massive (up to 100M card) breach, and the difference between being compliant and being secure. Article here

The part that really jumped out to me was the statement about the QSA failing to check Heartland’s vulnerability to a “common attack vector”. Without additional information it’s difficult to determine if the criticism is fair.

Did the companies that were previously attacked using that vector disclose it? Had the vulnerability been disclosed by the researcher(s) that discovered it (or were they waiting for the vendor to issue a patch)? What if the “common attack vector” only rates as a low-medium vulnerability by PCI’s own scanning standards? There’s a potential information asymmetry problem that works against the auditor in these situations. Has Heartland shared detailed information of their attack with the QSA community as a whole to prevent the same situation from occurring elsewhere?

Is it the QSA’s obligation to stay aware of common attack vectors or is it the PCI Council’s responsibility to  promulgate “common attack vectors” to them.  I believe it’s both, but more important that the PCI Council does so as they have visibility across every PCI Compliance Audit and data breach. Assuming the PCI Council does promulgate this information to QSAs, but not to the companies themselves or other non-QSA auditors that do PCI DSS work (like us), then the council is creating additional incentive to pay the hefty fees to be QSA certified at the expense of the companies and the consumers.  This shouldn’t be all that much of a surprise. Ask yourself why we haven’t gone to two factor authentication on credit cards to reduce fraud ? (hint: because it’s cheaper to let companies like Heartland take the fall)

I think the PCI Council is a great example of an industry association failing to fulfill their role of building trust between their members and their consumers (another great example).  How many more PCI-compliant merchants will get hacked before that trust is completely eroded? As trust decreases, so does the industry’s pricing power and the only way out of this mess is providing a higher level of assurance that will cost the merchants more money – but who’s going to pay more money for a PCI audit if they don’t feel compliance will actually secure them from hackers?

An incentive for conformance (i.e. compliance) is not an incentive for performance (i.e. effective security). Until PCI either gets the incentives right or implements technology that’s secure by default the problem will only get bigger.  How many more PCI-compliant breaches will it take before the government intervenes?



Related Articles That Might Interest You

Free Download: ISO 27001 Implementation Roadmap

ISO 27001 RoadmapHave no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!

Best Practices for Firing A Network Security Administrator

Firing A Network Security AdministratorWant to know how to fire a Network Admin? Need to know what precautions to take? Firing any employee can be a stressful event. Firing one who has significant knowledge of and privileged access to your Information Technology/Security infrastructure is even more stressful, as the risks are so notable.

Free Whitepaper: Stop Wasting Money on Penetration Testing

penetration-testing-whitepaper

Penetration Testing is most frequently performed to:

  • Substantiate the net effectiveness of a mature control environment
  • Prove to a third party that an environment is secure/trustworthy
  • Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
  • To validate that significant changes did not have unanticipated results

Free Whitepaper: Five Best Practices for SIEM

siem-whitepaper

The promise of SIEM is the consolidation of all relevant Security Event Logs from disparate sources into a single unified and normalized data store.

Is ISO 27001 Right for (Y)our Organization?

iso-27001-webinar

Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

  • How to deal with increasing threats
  • How to manage multiple regulatory requirements
  • How to handle client requests for attestation
  • To validate that significant changes did not have unanticipated results

Free Download: A Best Practices Guide to Database Security

database security roadmap

Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.

Download: Information Security Attestation Guide

Information Security GuideA Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

Categories: Risky Business, Thoughts

Tags: ,

About the Author:

John Verry, CISA, 27001 Certified Lead Auditor, CCSE, CRISC - "Security Sherpa" - Information Security Auditor
Subscribe to Comments

Add a Comment