The State of PCI Compliance: Insights from Author/Expert Tony Bradley
In an exclusive interview, Tony Bradley, co-author of the book PCI Compliance: Understand and Implement Effective PCI Data Security Standard, discusses:
Bradley is Director of Security for Evangelyze Communications, a global voice and unified communications products and professional services organization. He also is the lead-author and tech editor of PCI Compliance, currently co-authoring PCI Compliance - 2nd edition with Dr. Anton Chuvakin.
TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. We're speaking today about PCI compliance, and we're speaking with the man who literally wrote the book on PCI compliance, Tony Bradley, Director of Security with Evangelyze Communications. Tony, thank you so much for making time for me today.
TONY BRADLEY: No Problem. Thank you very much for having me on.
FIELD: Tony, tell us a little bit about your work and the update that you're doing to your book now.
BRADLEY: Okay, well you know, a lot of my work with Evangelized Communications, is Microsoft partner for unified communications and we do a lot of VoIP type stuff, and as a Director of Security actually, one of the things that I've been focusing on and trying to bring more to the forefront is where compliance fits into that, because, anytime there's a new technology like Voiceover IP, like Unified Communications, it seems like security kind of lags behind the curve, and then compliance is a little bit further behind that curve. And as you alluded to, I was the lead author and tech editor of PCI Compliance that came out in 2006. Anton Chuvakin, who is a very respected security expert -- he and I are going to be co-authoring a second edition of that book to be coming out later this year.
FIELD: What will be in the 2nd edition that wasn't in the first?
BRADLEY: Well, a couple of things. We learned some lessons from the first book. You know, one of the things was the book has been very well received. I think we've gotten a lot of kudos on the book. It's been a success, otherwise we wouldn't be doing a 2nd edition. At the same time, you know, we had a number of authors in there, and I think when you do that, it lets you get the book out faster, but it also introduces different styles, different -- it kind of disrupts the continuity. So that's one of the things by just having the two of us, I think we're gonna get a better flow to the book, but more importantly what we're going to do is we're going to introduce more sort of how-to and real-world case studies. So instead of sort of the theoretical just talking about well what is PCI DSS and kind of describing it, we're gonna go into more detail about alright well now that we've given you that information, what are you supposed to do with it, and what are the real-world examples of why or how you should do it? So we think that that's an important change to this 2nd edition, and it will also be updated to reflect the changes that have occurred with the PCI DSS guidelines since we released the book initially back in 2006.
FIELD: Well Tony, let's talk about a couple of real-world cases. PCI's been in the news of late because of the Hannaford Brothers and the Heartland Payment Systems data breaches. Everybody seems to be talking about it. I guess from your perspective, I'd like to know what's most misunderstood about PCI DSS compliance?
BRADLEY: I think that the most misunderstood thing about PCI DSS compliance is that people seem to expect it to be a silver bullet of sorts. That people look at any breach like Heartland or Hannaford or TJX or whatever, if that breach occurs with an organization who is allegedly PCI DSS compliant, then it's looked at as a failure of PCI DSS, and I don't think that that's necessarily a fair assessment. You know, I think that PCI DSS is just -- it's a framework. It's security guidelines. It's laying a foundation, but there just is no -- there is no silver bullet that's going to protect 100%. So I'm not -- I'm not trying to vouch for Hannaford or Heartland or TJX or anyone else and say that they absolutely were doing that. I'm just alluding to the sort of the back-lash I see in the media and firm's security experts where they say `Well, this is an example of why PCI DSS isn't working`.
FIELD: Now the news over the weekend was that Heartland and RBS World Pay, both of them payment processors that suffered recent breaches, are off of Visa's compliant vendors list -- processors list. What really does that mean?
BRADLEY: You know, with RBS -- I'm not as sure what's going on with RBS -- with Heartland, they have been removed from the list ... but they've also said that they're on probation, so they haven't like cut them off. Basically, they've put them on probation, and they said, `We're taking you off PCI DSS compliant list`. I think that the sort of cascade effect to that is whether or not their customers end up jumping ship. Because I think that there are some implications there of if I'm a customer of Heartland and I'm processing my credit-card transactions through Heartland, who is now no longer PCI DSS compliant, then my transactions are seemingly also not PCI DSS compliant any longer. So, on the one hand, that would seem to be the case that if I'm a customer, I would want to look at moving my business, but on the other hand, I'm not sure that is really what Visa had in mind, because again, they didn't cut them off entirely, and they just put them on probation, so I don't think they necessarily meant for all of their customers to bail.
FIELD: Now, just step back a little bit and look at the state of PCI compliance. Just based on what you see in the industry, what is the state of compliance today?
BRADLEY: Well, I think the state of compliance is actually pretty good. I think that especially compared with some of the other compliance mandates out there ... that PCI DSS has been very well accepted for the most part, and that the nature of PCI DSS is somewhat a simpler and more direct set of guidelines. So I think that it's easier to follow without being so stringent that it tells you exactly which controls to put in place. So -- I mean -- I think that organizations are adopting it. I don't think we're 100%. I think that some organizations can do better, but I think the bigger thing is, and I think this goes for all compliance for all organizations, though is to not look at it like an implementation project. It's not something you just launch and then you're done, or you don't put some stuff in place, pass your audit, and then say `Great, we're compliant. Now we're done.` It's an ongoing process. It has to be something you keep an eye on, you know, quarterly, monthly, weekly, you know, whatever. You have to be watching. You have to keep in mind that over time, and even if you were compliant at the beginning of the year, you're adding users; you're subtracting users; you're getting new vendors; you're getting new customers; you're implementing different technologies within your network. Things are constantly changing, so the compliance aspect of those changes has to be kept in mind. I would say that at least on a quarterly basis that has to be reviewed again. You have to keep looking at that and say `Okay, yeah, we were compliant, but now we've introduced this server, and we've got this thing going on over here. We've got new partners. We're connected with new vendors and what are the impacts, you know, to our overall security? And making sure that you've sort of adopted it as more of a -- as more of a culture than just a project.
FIELD: Tony, are there certain types of businesses that you would say are any more or less compliant than others, if you were to generalize?
BRADLEY: If I were to generalize, I would say that -- I don't want to accuse any particular industries per se -- but I think that by their nature of being very distributed and having many small outlets, that retailers are at somewhat of a disadvantage. So things like -- like TJ Max, because they can do all these things to make sure that they're compliant and they've got the policies and procedures and the technologies and the security controls in place at headquarters, but it's a little bit more difficult when you start talking about hundreds or thousands of outlets scattered across North America -- across the world or whatever, and making sure that every single one of those is also maintaining their compliance when it comes to point-of-sale systems that might be communicating wirelessly and wireless communications in general I think are a big deal. So, some industries, I think it's a little bit easier for them to get compliant and stay compliant, and with retailers, and possibly even you could include some of the banking industries in that with all the various bank branches. It's just -- it's a lot of different locations and stuff to keep tabs on and to ensure that all of the communications going back and forth and all of the transactions are secure.
FIELD: What have you found to be organization's biggest challenges in becoming PCI compliant?
BRADLEY: Well I think one of the biggest challenges in my mind has been with the wireless, and sort of the trying to find the balance between the -- you wanna be able to utilize new technologies. You wanna be able to leverage those and operate more efficiently, but trying to make sure that you're doing that in a secure way and make sure that you're doing that in a way that's -- that's still compliant. You know, one of the things that had been directed originally was that wireless networks should be a separate VLAN, you know, there should be a network segregation between the wireless network in the -- and the data network. But first of all, I think that VLAN as a security measure is not as fool-proof as it has been portrayed. I think that there are ways to circumvent that and sort of just implementing a VLAN is I don't think secure enough. But the other side of that being what I started off talking about which is as companies are moving towards -- there's more convergence, and there's unified communications, and they're trying to tie more things together, which goes against the grain of trying to segregate them and lock them down. You know, so I think that's one piece, and then, you know, part of the changes with PCI DSS this last fall, were that originally, you know, WEP encryption was considered okay, and WEP has now been eliminated, and you're supposed to at least have WPA or better yet, WPA 2 encryption for wireless networks, and that -- that I think, is sort of a big thing just because a lot of organizations hadn't even caught up to getting the web security in place, and set up properly, and now we've already moved beyond that.
FIELD: Tony, one of the statements I hear about PCI compliance quite a bit is that PCI is the standard. It's not necessarily a regulation. There's a difference there, because of the teeth you can put into something like this. As someone who is pretty intimate with PCI, where are the teeth in this standard? In other words, what happens if an entity isn't compliant? What sort of - what can the council or the PCI Alliance do?
BRADLEY: Well, I think this is a frustration that I've experienced as well. I mean, I think that one example being that Heartland for example, has been, like we said, they've been removed from the PCI DSS compliant vendor list, but they're also just on probation, and overall, it seems like kind of - kind of a slap on the wrist compared with the level of the breach - the severity of the breach. Now, Heartland in particular, from what I can see, is an example of an organization who was PCI DSS compliant, and that the method by which they were breached was something that was not easily guarded against. It was not easily seen. You know, unlike the TJX breech, which was basically just a lax in judgment on - on wireless security, the Heartland situation seems like, you know, they did what they were supposed to do, and they got breached anyway. So in that regard, I can sort of understand the probation, but again, getting back to the teeth, the frustration is that it doesn't seem like anything is happening. It doesn't seem like, you know, within the - within the PSI DSS guidelines, which as you said, it's not a law ... These are just guidelines, but they're industry guidelines to a powerful industry. You know, so if - if the credit-card industry as a whole, if they stepped up and said `you know what? You're not in compliance with PCI DSS. Therefore we're not going to let you do business,' that can - you can put a company out of business by taking away their ability to accept or process credit-card transactions. So, even though it's not a law, it's not a regulation, I think that they could have much bigger teeth than they've shown, and that that, you know, is - is I think part of the problem in - in what little area there is left of non-compliance, I think that some organizations are looking and saying `Well, what's the big deal?' We've had organizations who've had these massive breaches ... and in the end, it didn't really cost them that much. You know, TJX - still in business - still doing fine - stocks doing, you know, relatively okay. So the downside doesn't really seem to be there. So from my perspective, I - I would like to see some - some stronger teeth. I would like to see some stronger reaction, and even though it's not a law, I think that the, you know, credit-card industry does have the power to, you know, hand out some - some stiffer penalties.
FIELD: Tony, there's a question I've been wondering about in all this discussion about Heartland. All we've really heard about have been Visa and MasterCard. Where are the other credit-card brands in all this discussion, and why aren't their names coming up?
BRADLEY: Well, I think - I think partly it's a matter of volume. I mean, yeah, certainly there are other credit-card brands, you know, that are involved in the - in the PSI DSS, you know, coalition, you know, Discover, American Express, and some of the international brands, but I think in terms of market share, or in terms of the total number of both end users who are using the cards, and retailers or businesses that accept the cards, I think Visa and MasterCard are somewhat dominant in that area. So I think that is a big part of it, because especially in North America it's just the odds of a company accepting Visa and MasterCard or a user using Visa and MasterCard are significantly higher, so I think that's why they get more attention.
FIELD: That makes sense. Tony, frighteningly enough, we're almost a fourth of the way - a quarter of the way through this year. As you look ahead to the next three quarters of the year, what do you see will be the top say three PCI stories for the remainder of 2009?
BRADLEY: Well, let's see, one I think will be what I was referring to earlier, or at least it should be, which is getting a grasp on sort of balancing or finding the right mix of being able to adopt new technology and still be PSI DSS compliant. I think there even might be - need to be some - some clarifications from the PSI DSS from the PCI council on some of these issues as it relates to the unified communications and the wireless communications and making sure that we have some clear guidance on what is and is not accepted in that regard. You know, I think that the second thing would just be -- I think you'll see a continued focus on what is the state of compliance. What are the repercussions of not being compliant? I think, the ongoing story, especially with the recent news of Heartland's probation, we'll be sort of looking at, 'Okay what has been the impact to TJX? What's the impact to Heartland? What's the impact to Hannaford or RBS, or whatever,' and then the discussion will be around did the PCI DSS, you know, as a compliance, as a set of compliance rules, did it do its job? Did the credit-card industry do its job in levying penalties or doing something about it when - when the breaches occurred, and then what's the long-term impact? Are these companies suffering at all? Or, you know, are they just going along fine, and sadly a third thing - third story -- would be that I don't think I would say this outside the realm of possibility that we'll just end up hearing another Heartland, another TJX another breach, and sort of seeing where that takes us.
FIELD: Very good. Tony, we look forward to your new edition of the book coming out, and I want to thank you for giving us your time and your insight today.
BRADLEY: Thank you very much.
FIELD: We've been talking with Tony Bradley, Director of Security with Evangelized Communications. For Information Security Media Group, I'm Tom Field. Thank you very much.