I came across an interesting post on the darkREADING website yesterday titled PCI More Of A ‘Check-Box’ Than Security For Most Retailers. Particularly interesting was the following excerpt:
Nearly 80 percent of retailers and organizations that handle credit card transactions have been hit with a data breach, but more than 70 percent still don’t consider security strategic to their operations, according to a new report released today.
This apparent incongruity has more to do with organizations accepting a certain level of risk with doing business on the Internet, says Brian Contos, chief security strategist at Imperva, which commissioned the 2009 PCI DSS Compliance Survey conducted by the Ponemon Institute.
“Roughly 30 percent take [PCI security] seriously,” Contos says. “And the others see it as a check box.”
Despite the fact that 80 percent of retailers have experienced a data breach, only 70 percent consider security strategic to their operations and only 30 percent take PCI security seriously. The question is, is this an indictment of the retailers or the PCI standards themselves?
It doesn’t help that there have been a number of data breaches in the news recently where the victim was fully PCI compliant. In fact, Robert Carr, the CEO of Heartland, the company that was a victim of a data breach that exposed over 100 million credit cards, slammed both his auditors and PCI standards in a recent interview:
What have you learned in recent months regarding how exactly the burglars were able to get in? What have investigators flagged in terms of the big security holes that were exploited?
Carr: “The audits done by our QSAs (Qualified Security Assessors) were of no value whatsoever. To the extent that they were telling us we were secure beforehand, that we were PCI compliant, was a major problem. The QSAs in our shop didn’t even know this was a common attack vector being used against other companies. We learned that 300 other companies had been attacked by the same malware. I thought, ‘You’ve got to be kidding me.’ That people would know the exact attack vector and not tell major players in the industry is unthinkable to me. I still can’t reconcile that.”How did the QSAs respond when you expressed this view?
Carr: “In the post-Enron environment, the auditors have contracts with clients that essentially absolve them of gross negligence. The false reports we got for 6 years, we have no recourse. No grounds for litigation. That was a stunning thing to learn. In fairness to QSAs, their job is very difficult, but up until this point, we certainly didn’t understand the limitations of PCI and the entire assessment process. PCI compliance doesn’t mean secure. We and others were declared PCI compliant shortly before the intrusions.”
A key to this story is something that everyone should understand. PCI Compliant doesn’t mean you are secure. Carr stating that a company the size of Heartland didn’t understand this is questionable in my opinion, but the failure of their auditors to expose known vulnerabilities with clear fixes is a problem as well.
The PCI guidelines simply provide a minimum framework for establishing a secure environment. It is up to the company to provide the appropriate people and processes to support their technology investments to create a secure environment.