The PCI Paradox - why PCI DSS isn't preventing data breaches

Encryption is the number one 'get out of hell' card for PCI compliance
Encryption is the number one 'get out of hell' card for PCI compliance
The government has said again and again, 'police yourself or we will police you'
The government has said again and again, 'police yourself or we will police you'

"The problem," said the fellow, "is that the people who are asking for the audit are the same people who are paying for it." He was a PCI Qualified Security Assessor (QSA), and it was his job to audit companies who were trying to comply with the Payment Card Industry Data Security Standard (PCI DSS), which is the industry security regulation for companies that carry credit card data. He says that this makes it possible for some companies to pressure the assessor to produce the results that they want to see - or to shop for opinion by hiring people to do 'pre-assessments' for PCI.

His complaint is one of many that have been raised by industry observers since the standard was originally launched in 2004. The standard was originally designed to help solve a burning problem that had been plaguing the credit card industry. A series of high profile data breaches were leaving millions of credit cards compromised, and it was becoming increasingly clear that the companies responsible for handling credit card data were, in many cases, unable to do it securely. American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International - all of whom had been working on their own individual standards - launched the standard as a unified means of bringing the security of these companies up to scratch.

The risk profile of a typical merchant is that they have a pretty transient employee base, with minimum wages at the store level
Gordon Rapkin, Protegrity

But less than a year after the first deadline for PCI DSS, industry commentators are increasingly finding fault with the standard, and it has now even been the subject of congressional scrutiny, as lawmakers realize the extent of the cybercrime problem, and examine the methods that we are using to cope with it more carefully.

All of this is set against an industry that is particularly challenged when it comes to security. Retailers, especially in an economic downturn, have been notoriously loathe to upgrade and integrate their IT infrastructures, which are often full of legacy equipment, from multiple vendors, and very difficult to protect.

The business end of retail also creates a high-risk environment, warns Gordon Rapkin, president and CEO of Protegrity, which sells web application firewalls, and software to protect information held in databases.

"The risk profile of a typical merchant is that they have a pretty transient employee base, with minimum wages at the store level," says Rapkin. "You also have technologically unsavvy people that contribute to that high-risk environment."
“Due to the number of transient employees, I believe in 2009 we will see a far more significant increase in the number of attacks than we saw in 2008,” adds Rob Grapes, enterprise solutions specialist at Cloakware, which sells password management products.

A Simple Set of Rules

On the face of it, the PCI DSS standard is relatively simple. It consists of 12 rules in six broad categories: build and maintain a secure network; protect cardholders' data; maintain a vulnerability management program; implement strong access control measures; regularly monitor and test networks, and finally, maintain an information security policy.†

The 12 rules within these categories are as follows:

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor supplied defaults for system passwords and other security parameters.
  3. Protect stored cardholder data.
  4. Encrypt transmission of cardholder data across open, public networks.
  5. Use and regularly update anti-virus software or programs.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to the cardholder data by business need-to-know.
  8. Assign a unique ID to each person with computer access.
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to networked resources and cardholder data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security for employees and contractors.

That all sounds like good advice. So what is wrong with this picture? Let's start with the fact that Heartland Systems, the payment processor that was breached in 2008, and only discovered the breach in mid-January, was PCI compliant when it was compromised. Furthermore, it didn't ever officially lose its ability to process cards with Visa, even when it was deprived of its PCI status. Instead, it was put on a probationary period. On the day of writing, Heartland regained full compliance again.

Or let's take Hannaford Brothers, the retailer that was breached after hackers placed malicious code on its servers and began stealing credit card numbers as they passed through its system. The company received notice of its PCI compliance on February 28th, according to congressional testimony - just one day after it noticed that credit card numbers were being pilfered from its network. Whoops.

Due to the number of transient employees, I believe in 2009, we will see a far more significant increase in the number of attacks than we saw in 2008
Rob Grapes, Cloakware

The PCI regulations tried to boil the ocean, believes Rapkin. "They didn't succeed in boiling the ocean yet, but they probably succeeded in raising the temperature a few degrees," he says. "Security is a journey. It just keeps going, and you look for milestones along the way." PCI created a way to mark progress, rather than creating a benchmark for absolute security, he argued.

"In the last year and a half to two years, it's become bureaucratized at some level." It's moving more slowly, and is more cumbersome, but he says that it's a good standard compared to HIPAA and others. "For retailers who are not the most security technology savvy bunch, being a little more prescriptive was the right thing to be."

However, not all people feel this way. Michael Barrett, CISO for PayPal, has said in the past that he felt the standard was too prescriptive, even though PayPal sat on the PCI Council, for example. The problem with nailing down requirements very tightly is that they can become rigid, in an environment where the enemy's attacks are becoming increasingly dynamic and fluid.

Perhaps one of the paradoxes of PCI DSS is that, depending on who you talk to, it is both too prescriptive, but also too vague. "For many years there was no application firewall requirement as part of PCI. They finally instituted a requirement for an application firewall, but didn't define what it was," complains Paul Henry, security and forensic analyst at endpoint security company Lumension. "That led to packet firewall vendors simply layering signatures on top of their existing products and calling it an application firewall, he warns.

Another big problem with PCI DSS is that it has compensating controls that are too lax, argues Rapkin. Compensating controls make it possible to get away with not doing something by substituting something else in certain circumstances.

For many years there was no application firewall requirement as part of PCI. They finally instituted a requirement for an application firewall, but didn't define what it was
Paul Henry, Lumension

It becomes easy, then, for an organization to wheedle its way around some of the rules by taking measures that may not give them the same level of security as the original rules implied. Compensating controls can lead to companies getting what Rapkin calls a "free pass" on areas such as encryption, he says.

"Encryption is the number one get out of jail for PCI compliance. It's acceptable not to encrypt the data if it's seen as too much of a hardship for your company," he warns. This can be clearly seen in version 1.2 of the PCI DSS specification, which specifically says that encryption could be replaced with several other controls covering internal network segmentation, IP address or MAC address filtering, and two-factor authentication.

The other problem according to Rapkin is that there is not a sufficient separation of duties between the assessors that audit your systems, and the consultancies that sell you the solution to fix it. That can lead to ethical problems, he warns. "There are assessors who make a living out of selling you the remediation, and I think that's horribly wrong." This makes the whole process more secretive, at a time when retailers should be doing everything they can to reassure customers that their credit card details will be safe.

An Ideal PCI

So, what would PCI look like in an ideal world? Rapkin would like to see a seal of approval, similar to the British Kite Mark, which would give the buying public the chance to assess the retailers that they're buying from without having to look them up on credit card companies' list of approved people (if those are available). He would like to see the assessor process controlled by the Council, not just licensed by it, and he would like to see a separation of duties. If you are an audit customer, then you shouldn't also be a consulting or products customer with the same firm, he warns.

What happens if these perceived inadequacies in the PCI DSS program persist? Lumension's Henry warns that government involvement may be the only way forward. "We're going to see federal regulations rather than PCI regulations. That seems to be where it's going. The government has said again and again, 'police yourself or we will police you'," he says. "We will see that down the road unless the government starts to put the consumer before the payment card processor."

He may be right. The PCI DSS debacle is now attracting congressional attention. On March 31, a House Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology held a hearing entitled "Do the Payment Card Industry Data Standards Reduce Cybercrime?". Apparently not as much as chairwoman Yvette D Clarke would like.

"I do not believe the PCI Standards are worthless; in the absence of other requirements, they do serve some purpose. But I do want to dispel the myth once and for all that PCI compliance is enough to keep a company secure. It is not, and the credit card companies acknowledge that," she said, adding that updating the standards every two years is not adequate to keep abreast of the quickly developing techniques used by cybercriminals.

Perhaps, then, after all the industry's attempts to regulate security among companies dealing with credit card information, the onus must still rest on the retailers themselves - and Rapkin argues that they should be taking a more holistic view of their security.

"If you look at TJX and some other breaches, these are people that spent money on security, but they didn't spent it strategically," Rapkin says. "They seemed to have made piecemeal, point solution-oriented investments. Each cost money, but it didn't have a relationship with the data that needed securing elsewhere."

In practice, this means that we are likely to see many more TJXs, Hannaford Brothers and Heartland-style incidents before this gets better. If it ever gets better at all.

What’s hot on Infosecurity Magazine?