PCI From the Other Side: An Ex-QSA’s Worst Nightmare

Once again I have chosen a dramatic title to sucker you in, but seeing as it’s PCI related it’s never going to be even remotely exciting, but it may be of interest…

First; per the title, I’m not actually a QSA any more, but I have been in the trenches of PCI since before there were QSAs (anyone remember QDSPs?), so I am reasonably well qualified to write about it.

Second; by “PCI From the Other Side”, I mean that I recently found myself in a scenario where I was the one being assessed. The remainder of this blog is about that experience. It was truly eye-opening, and I hereby apologise to every client I’VE assessed over the last decade. I only now feel your pain.

The above apology aside, it’s not until you find yourself on the other side of the assessment fence that you can truly appreciate the challenges faced by those organisations with PCI obligations. I am both a PCI and Information Security expert, and even I had a hell of a time putting my current organisation thorough the process and I DESIGNED the infrastructure with compliance in mind!

My first challenge was finding a PCI compliant service provider (SP) who could handle the vast majority of the infrastructure and the security related processes. From configuration standards, to AV, to logging and monitoring I didn’t want to do anything in-house. I spoke to several service providers, for some of whom I was actually the one who had provided guidance in the design of their PCI services. Regardless, they were all SPECTACULARLY unhelpful, and if I, an expert, had this much difficultly, what chance does anyone else have?

Even Amazon Web Services does a better job than every SP to whom I spoke, and while AWS basically devolve almost every aspect of compliance back on the client, they at least break down the EXACT responsibilities for all parties against every single requirement in the DSS. Yes, PCI DSS v3.0 does a better job of making this a requirement, but it can still be very difficult to get the right information based on a vendor documentation and Attestation of Compliance (AoC). If you don’t ask the right questions, no SP seems anxious to provide them for you.

The second major challenge was the sheer volume of ‘paperwork’. Policies, Procedures and Standards make up roughly 35% of the PCI DSS requirements, and at least 47% of validation against all requirements involves review of some form of documentation, even if it’s just a screenshot.

As an assessor I would give my clients a spreadsheet that tells them what kind of document I need against any given requirement, for them to complete with the document THEY believe meets the intent of the Testing Procedure. For my QSA I went one stage further and mapped my policies and procedures (including Section numbers!) against the Report on Compliance v3.0 template itself.

Now these are Policies that I have mapped against the PCI DSS / ISO2700X/ CoBIT etc. and even sold them to several clients to help with their compliance efforts, yet it took ME several weeks to fine tune these policies to get them exactly where they needed to be. As for the Procedures and Standards, I had to create 24 separate documents to cover everything from Change Control to Vulnerability Management and I can tell you, this was NOT fun!

Like finding a Service Provider, I had a huge advantage over most people in charge of putting together their organisation’s documentation, and if this was the pain I went through, I do not want to begin to imagine the pain for anyone not an expert. [Note: The ‘paperwork’ is critical not just to PCI, but to security in general, and should NEVER be done with just compliance in mind!]

I have written too many blogs about the problems with the PCI DSS to harp on about them here, and there were far more issues I faced than you want to hear about. Needless to say, if the SSC really want to train new QSAs, they should throw out their entire curriculum and put them in the client’s shoes for a day.

95% of them would fail.

Who am I kidding, 95% of CURRENT QSAs would fail, I almost did!

Humble Expert, or Confident Idiot, Do You Know Which You Are?

[This article is based loosely on the Dunning-Kruger Effect.]

Have you ever been part of a meeting where someone whom you suspect has no idea what they are talking about, is actually the one controlling the meeting’s outcome? Or the opposite; been part of a meeting where you KNOW someone in the room is an expert on the relevant subject, yet remains quiet? Now combine the two; the expert stays quiet while the idiot rambles on.

I’m sure at some point I’ve been both, and if I’m honest, mostly the idiot.

One of the many aspects of human nature is our susceptibility to bow to confidence. Con artists and organised religions alike (but I repeat myself) have preyed on this for millennia. Politicians, emperors, dictators, cult leaders, you name it, all have the ability to make us believe utter nonsense. We are invariably less influenced by what is said, than how it’s said, and by whom.

Those who can make you believe absurdities can make you commit atrocities.”
- Voltaire

The opposite aspect of this is that even if you are an expert on something, if you aren’t confident in your presentation, your knowledge and skill may be of little impact. Potentially, even if you did speak up, your hesitant manner would negate your audience’s trust in your message. That’s if they were even listening in the first place.

Another aspect of human nature is that we really don’t care about other people’s opinions. We are either pleased when people agree with us, or we’ll debate, argue, even fight with those who don’t. Our tolerance for alternative opinions, was well as our ability to adjust our own, only get worse as we get older. We spend our lives surrounding ourselves with things that make us comfortable, all of which do nothing but reinforce our established beliefs.

I have long been a proponent of self-reflection. The ability to take an objective-as-possible look at yourself, maybe even from another’s perspective, is critical in being able to adapt to whatever the world throws at you. From my experience, there is a direct correlation between the ability to self-reflect and the ability to accept responsibility for both your life, and your actions.

Blaming others is a form of blind-faith, it suggests an infallibility that can never exist. Both experts and idiots are affected equally on this point, both negatively.

The lines between confidence and arrogance, faith and stubbornness, mentorship and patronisation are all blurry, and entirely dependent on the recipient’s perception, not the deliverer’s intent.  Self reflection / observation is the only way you can adapt to the person(s) opposite you, and without that adaptation your own needs will not be met. At least not in full.

While being aware of your tendencies does not equate to an ability to make immediate adjustments (as I know very well), we all have to start somewhere. Whether you’re an expert or an idiot, everything you do is in some way contextualised by those around you. It’s up to you to maximise your impact in a beneficial way.

In your personal life, do as you wish, but at work you are beholden to someone; employer, stockholders, customers, or just your immediate team. Neither the humble expert nor the confident idiot are any good to anyone.

Including yourself.

Is Verizon Really Blaming Merchants for PCI Violations?

While on the one hand, few organisations take information security as seriously as they should, to blame merchants for not maintaining PCI compliance is akin to blaming the doctor for your illness. In non-cash payments the fault lies not with the merchant’s lack of security culture, but with the payment card ecosystem itself.

I understand the motivation behind this article; Maintaining PCI Compliance a Showstopper for Many Retailers, but it shows a spectacular lack of understanding of the real issues.

The branded-card payment technology is broken, pure and simple, and so far no-one in the card-payments arena has done much to fix it. Instead, they have all put the onus, and the cost, onto the end merchant, who then has two choices;

  1. Eat the cost
  2. Pass the cost on to their customer

Guess which happens 9 times out of 10?

But why should the merchant be wholly responsible for the protection of the cardholder data? Are credit cards core to their business? They shouldn’t, and no, are the respective answers; payment for services / goods rendered is core, the means by which they receive payment is ancillary, and in this case then, responsibility for securing the payment type should be on the payment service provider.

50 odd years ago certain card brands came up with an excellent concept; the payment card. Banks jumped all over it and started providing lines of credit through the medium of plastic and the concept exploded. Now credit cards are the de facto, and ubiquitous, form of non-cash payment accepted globally.

So ubiquitous in fact, that few people seem to question the fact that the system is inherently insecure, inefficient, inflexible and massively expensive to maintain. Not for the card brands mind you, but for everyone else. The only ones who cannot recoup their costs is the consumer.

I have no problem paying for the convenience of a non-cash payment mechanism, but as a business owner, I DO object to being the only one paying for security of cardholder data when the technology itself is broken and any innovation away from the current system is stifled until such times as the card brands can catch-up. Which they won’t at the rate they are going.

The card brands clearly want things to continue as they are, as do the issuers and acquirers for obvious reasons. Banks make money from branded cards by charging both annual fees and interest on lines of credit so they have no desire to change things. Large retail, who should have enormous power and influence over payments innovation have, for some reason, completely missed the point. So it’s left to the rest of us to make a difference.

The challenge is that ‘we’ are ignorant and are clearly quite happy to go along with whatever is given to us. If this seems harsh, just look at the above article again. Verizon SHOULD know better than to blame the merchants, but if they don’t, what chance to the rest of us have?

Until such times are the ‘merchants’ learn ask the right questions this type of nonsense will continue, and until we, the ‘consumer’, start demanding REAL alternatives, we have no-one but ourselves to blame.

[REBLOG] Ghosts in the Payments Machine

This blog was written by  and the original article is here; http://www.acuityid.com/?p=336;

“Today’s payment behemoths are trying to desperately hold on to control of the payment processing infrastructure because they intuitively – if not consciously  – understand that the true  inevitable disruption of mobile payments is radical disintermediation i.e. total or near total annihilation existing, seemingly haphazard and completely archaic business models.

This is apparent in their schizophrenic attempts to simulatneiously fight new security standards for e and m-commerce while clinging to very regulations they love to rail against to limit new market entrants. It is apparent in the reports generated by highly paid consultants to strategize about how banks can hold onto, i.e. arm twist their customers, while generating new revenue streams, i.e. fees, to compensate for  archaic service models and lost payment opportunities. It is apparent in their acquisitions and attempts to present them selves as “market innovators” and “consumer service organizations”.

If mobile payments play out the way similarly disruptive technologies have in the past, the payments landscape of 2020 and beyond will look radially different then it does today. Some, if not all of today’s industry stalwarts, in spite of their best attempts to survive, will be greatly diminished, shadows of their former selves, if not simply ghosts. Meanwhile, a host of new players with radically different visions of how payments systems ought to work will rapidly grow into expansive financial legends with global footprints.

Sound far fetched? History tells us otherwise.  Have a read through a post from 2011  A Kodak Moment. Between 2000 and 2009, Kodak imploded.  The decade started well enough for Eastman Kodak. In 2000 it clocked film revenues of $11 billion, had 70,000 employees and 14 factories around the world. Then things started going pear shaped. Come 2009, revenues from the sale of film had fallen to $1.3 billion, the workforce had dropped to 20,000 and the number of factories had gone down to one.

Or consider Digital Equipment Corporate, AOL, Kmart, or sen your local travel agency — those of you under 35, may not even know what they are.  Technology-based innovation is both the bane and savior of market evolution indifferent to the fate of those impacted by rapid, sometimes catastrophic transformation. The notion that the today’s seemingly untouchable payment legends will remain intact after the coming decade of market transformation is quite simply naive. In 1989, I consulted for a company that employed 500 people to facilitate highly-targeted,  database managed, email marketing. By 2001, I purchased a software program online that had far greater functionality for $195.

The beauty of this type of imminent and inevitable market transformation is that no one really knows how it will play out. Not the pundits or the prognosticators. Certainly not the CEO’s of major financial institutions.  So while American Express touts their “transformative move to tokenization” (quotes mine for sarcastic emphasis)  or VISA digs their heels in against the European Commissions payment card reforms,  brave entrepreneurs will continue to introduce new payment means and mechanisms, and the rest of us will continue to dance and jockey for position until the initial fallout subsides and the re-visioned marketplace emerges.

Hold on to your hats, this is going to be a wild and crazy ride!”

No Such Thing as a Meaningless Conversation

No-one would call me gregarious, outgoing, or perhaps even friendly, but I will have every conversation offered to me. To NOT have that conversation suggests many things, almost all of which are negative; I think the person is dull / stupid / annoying, that I know more than they do, or that I do WANT to know what they know and so on. These things are judgmental, arrogant, and ignorant respectively. Of all things that it’s bad to be, ignorant is to me the worst.

I’m certainly not saying that by having the conversations that I’m suddenly a saint, but as some use faith to stop thinking for themselves, I use conversation to keep some of my more negative tendencies at bay. We all have negative thoughts, we all think bad things, but it’s knowing that we aren’t a bad person because we don’t act on those aberrant thoughts that ensures we remain good citizens.

But all of that is from a personal development perspective, in its somewhat lighter form, conversation can make or break your career development too.

It’s very easy to assume that you make your own way in life, that anything good you have is through your own hard work. Basically you created your life out of a vacuum. This is simply not the case.

Here we are in 2014, and anyone who in has a smartphone has access to information that we can never in a million years (quite literally) read, let alone absorb and retain. We must all categorise what we see every day into one of 3 buckets:

1. Read, absorb, and assimilate for ongoing use.

2. Skim, file away for reference.

3. Ignore.

95% of what we read is in bucket 3, 3% is in bucket 2, and only 2% is how we each use to make a career for ourselves. It is my belief that even that 2% does not truly give us full benefit until the context means something else to others as well.

You’ve probably heard the sayings; “Those that know, do. Those that understand, teach.” and “If you can’t explain it simply, you don’t understand it well enough.” [Aristotle and Einstein respectively], so by definition, nothing you say or think can really make any difference until shared.

Everyone you meet is the perfect sounding board in some fashion, but it requires you to take your own ego completely out of the equation. In the end, I don’t think anyone can ever care as much about someone else’s opinion as they do their own, so surely it makes sense to listen more than talk?

I am in no way saying that you should always forego your own needs / ideas / opinions in favour of everyone else’s, but it’s only really in conversation that we can obtain either the validation we all look for, or something else to think about.

Let’s face it, none of us is perfect, and once you hit your 40’s your opinions on almost everything are pretty much set. If we can, even from time to time, shut the hell up, who knows what we’ll learn.

All that said, talking to me about sports is a great way to get yourself ignored.