The QSA's Perspective: PCI Compliance Risks Abound
Let's talk about the Payment Card Industry Data Security Standard (PCI DSS, or just PCI). When many merchants and service providers think about PCI, they recall the National Retail Federation's (NRF) June 8, 2009 letter to PCI Council General Manager Bob Russo, wherein it was expressed that it is difficult to "comply with the program's requirements in a cost effective and timely manner."
Or they may remember PCI being criticized during a United States House of Representatives hearing as "of questionable strength and effectiveness."
From a QSA's perspective, here is what is frequently lost from the PCI debate.
PCI critics readily point out that shortly after the completion of its 2008 assessment, Heartland Payment Systems began leaking batches of unencrypted cardholder data and did so for months before being identified. Worse, Hannaford Brothers received its PCI certification one day after having learned that the company had experienced an ongoing breach over the preceding two-months.
Still, according to a 2009 survey conducted by the NRF in association with ControlScan and the PCI Knowledge Base, of 220 small retailers, 72% believe that their own risk of cardholder data compromise is "low" or "not possible."
Perhaps then, the powder keg that Albert "Segvec" Gonzalez allegedly lit with the TJX Companies, Hannaford Brothers and Heartland Payment Systems is what we can refer to as "a wakeup call."
From a QSA's perspective, here is what is frequently lost from the PCI debate: While criticisms have been made challenging the quality and effectiveness of QSAs, it is important to note that an assessment occurs at a point in time and commonly utilizes a sampling methodology of representative systems and processes to determine compliance. It is the QSA's role to conduct this point-in-time assessment. But it's the service provider's and merchant's responsibility to achieve, demonstrate and maintain their PCI compliance at all times -- both throughout the annual certification cycle and across all systems and processes in their entirety.
Although it is feasible that an assessor may detect a breach, it is not the focus of their efforts in conducting a compliance assessment. Rather, it is the responsibility of incident response and security monitoring functions internal to the service provider or merchant to detect and/or prevent such compromises.
In analysis of the "wardriving," SQL-injection and malware primary attack vectors of the TJX, Hannaford Brothers and Heartland Payment Systems breaches, breakdowns would have had to occur resulting in non-compliance with well over one dozen PCI requirements, addressing such items as access controls, wireless encryption, anti-virus, input validation, vulnerability scanning and penetration testing procedures.
Given their failure to maintain a PCI compliant environment, Heartland last year was removed from the Visa and MasterCard service provider lists. Following revalidation, Heartland has since regained inclusion.
According to filings with the Securities and Exchange Commission, Heartland is documented as of June 2009 as having paid over $32 million related to the breach. Additionally, on January 8, 2010, it was announced that Heartland has agreed to a $60 million settlement with Visa, a $3.6 million dollar settlement with American Express, but has yet to reach settlement with Mastercard and Discover. TJX similarly reached a $40.9 million dollar settlement with Visa and a $24 million dollar settlement with MasterCard.
However, fines are only part of the cost in the aftermath of a breach. With reputational damage, forensic investigation and remediation, expenses quickly add up, proving a costly burden for service providers to Level 4 merchants alike.
Is PCI complex? Absolutely. With up to 267 requirements as of PCI DSS version 1.2.1, it is not an effort to be taken lightly, and certainly not one that allows any organization to either achieve or demonstrate compliance overnight. But what compliance standard is truly dissimilar?
To the standard's credit -- and per Russo's response to the NRF: PCI is a structured "blend...[of] specificity and high-level concepts" that allows "stakeholders the opportunity and flexibility to work with Qualified Security Assessors (QSAs) to determine appropriate security controls within their environment that meet the intent of the PCI standards."
Further, as Visa Deputy Chief Enterprise Risk Officer Adrian Phillips pointed out at the March 2009 Visa Security Summit, "Let's remember we've had some bad breaches, but if we had not had PCI DSS, it would have been much worse ... As of today, I am confident that PCI DSS works."
Remember, thar's danger aplenty in those seas. And your risk is neither low nor impossible. Don't believe me? Guess where Mr. Gonzalez hid $1 million in booty earned from his exploits. That's right, buried in his back yard.
About the Author: Peter Spier is President of the ISACA Western New York Chapter and a Senior Risk Management Consultant at Fortrex Technologies based in Frederick, Maryland.Â Peter attained his graduate degree from Syracuse University's School of Information Studies and over the course of 12 years of experience, has earned Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), Project Management Professional (PMP), Qualified Security Assessor (QSA), Information Technology Infrastructure Library (ITIL) Foundation version 3, and HITRUST CSF Assessor certifications; among other credentials.