To this day, people are surprised when an organisation is breached after having achieved PCI compliance.
The SSC has never claimed that PCI compliance ensured the protection of cardholder data, especially when you consider most organisations don’t DO PCI compliance for security, they do it to get their acquiring banks off their backs. All the SSC have ever claimed is that it helps, and it does.
Security is not about being impenetrable, that’s impossible, it’s about knowing your two main enemies; thieves and ignorance.
Thieves are lazy. In fact, I’d go as far as to say that laziness, more than a desire to be bad, is the leading driver behind computer crime. This drives them to steal first what is most easily available; the so called low hanging fruit. So to avoid thieves, just have YOUR fruit higher up the tree. That’s what PCI compliance does, and that’s all.
As for ignorance, my absolute favourite phrase right now is;
“You are not entitled to your opinion. You are entitled to your informed opinion. No one is entitled to be ignorant.”
― Harlan Ellison
Information Security Policies and Security Awareness Training are SUPPOSED to cure all employees of their ignorance as it relates to the protection of data in their possession, and they would if they were taken seriously. They are not. Policies provide the dos-and-don’ts, training provides the why and wherefores, neither of which are given due care and attention.
Now combine those 2 and you can see why achieving PCI compliance means little to nothing if it’s not done PROPERLY! Even then, it will always fall short.
I have stated several times in my blogs that ALL compliance would automatically spit out the back end of a security program done well, and I have even defined what that is in my Security Core Concept series. The 5 people who actually read them will understand the following, but for the rest, here’s 4 reasons why PCI compliance does not mean security;
- It does not start with a risk assessment relevant to YOUR organisation. The controls of the Data Security Standard ARE the risk assessment. Even if you were to perform your own at the beginning of your compliance project, you still have to do everything the DSS says as there is no ‘residual risk acceptance’ in PCI.
It is FAR more difficult to implement the PCI DSS controls as stated, than it is to implement the controls relevant to your business. Which is why it is never done properly.
- The focus of the DSS policies and procedures requirements is the paperwork, and not the enforcement OF those policies. Having polices is meaningless if they are not read, understood, and followed.
- Once a YEAR validation of compliance is as pointless as hub-caps on a tractor. Yes you are responsible to maintain your compliance throughout the year, and yes the DSS includes change control as a requirement (barely), but how exactly do you maintain compliance when the DSS provides no context or framework for a sustainable security program?
- Let’s take an actual control, logging; There is no PCI requirement for centralised logging (10.5.3 – “or media that is difficult to alter.”) meaning a daily retrieval will suffice for the daily review (10.6.X), which in turn can be manually performed. Show me how you can possibly perform adequate incident response in an environment that does not real-time stream logs to a centralised location that then performs the following automatically, and I’ll wash the crow down with a healthy serving of humble pie:- Real-time alerts based on ‘never-see’ events from every system component.
– Real-time alerts based on violations of ‘threshold’ events baselined from every system component.
– Alerts based on violation of ‘trending’ patterns (you have a year’s worth (10.7.X), use them).
Logging is the core of incident response, which is the only way of preventing a security event from becoming a business crippling disaster. Logging is not just a collection of events to be used for in a forensic investigation.
Bottom line; PCI compliance is nothing more than an attempt to protect cardholder data better than it was done so previously, and in that it has only succeeded in the organisations who focused on security not compliance.
Everyone else threw good money after bad and kept the thieves from having to find their next low fruit.