PCI security standard gets ripped at House hearing, April 1, 2009 (Computerworld) by Jaikumar Vijayan http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9130901
From the article: In one of the bluntest denouncements of PCI DSS to date, Rep. Yvette Clarke (D-N.Y.), chairwoman of the subcommittee that held the hearing, said the standard by itself is simply not enough to protect cardholder data. The PCI rules aren’t “worthless,” Clarke said. But, she added, “I do want to dispel the myth once and for all that PCI compliance is enough to keep a company secure. It is not, and the credit card companies acknowledge that.”
The article goes on to reiterate the well known points that both Hannaford Bros. Co. and Heartland Payment Systems were certified as PCI compliant while breaches were occurring.
I have read many opinions on who is to blame for cardholder breaches, and many of those opinions are thoughtful and make a lot of sense. But to throw the Card Brands under the bus for trying to get merchants and acquiring banks to pay attention to the security of cardholder data makes no sense to me. And to have that opinion coming from a member of the U.S. House of Representatives takes the cake!
To make her point about why PCI DSS rules are not effective, Rep. Yvette Clarke, made these statements:
- “…standard by itself is simply not enough to protect cardholder data”
- “The PCI rules aren’t “worthless…”
- “I do want to dispel the myth once and for all that PCI compliance is enough to keep a company secure.”
No kidding! The PCI Security Standards Council has been saying the same things all along. In fact, they provide a Ten Common Myths of PCI DSS document (https://www.pcisecuritystandards.org/pdfs/pciscc_ten_common_myths.pdf) that in summary says that PCI compliance is not a one-time event. Myth 8 specifically says “True security of cardholder data requires non-stop assessment and remediation to ensure that likelihood of a breach is kept as low as possible.” That statement is clear as a bell to me–pay attention to security continuously! Myth 10 says “When people say PCI is too hard, many really mean to say compliance is not cheap. The business risks and ultimate costs of non-compliance, however, can vastly exceed implementing PCI DSS – such as fines, legal fees, decreases in stock equity, and especially lost business. Implementing PCI DSS should be part of a sound, basic enterprise security strategy, which requires making this activity part of your ongoing business plan and budget.” That makes sense to me, too!
Keeping any data secure in today’s IT world is hard, extremely hard, but affected organizations can, I think, try harder. In a sample of 112 assessments, VeriSign found the following failure rates for 10 of the 12 PCI DSS requirements (https://www.verisign.com/static/PCI_REASONS.pdf):
- 79% failed Requirement 3: Protect stored data.
- 74% failed Requirement 11: Regularly test security systems and processes.
- 71% failed Requirement 8: Assign a unique ID to each person with computer access.
- 71% failed Requirement 10: Track and monitor all access to network resources and cardholder data.
- 66% failed Requirement 1: Install and maintain a firewall configuration to protect data.
- 62% failed Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
- 60% failed Requirement 12: Maintain a policy that addresses information security.
- 59% failed Requirement 9: Restrict physical access to cardholder data.
- 56% failed Requirement 6: Develop and maintain secure systems and applications.
- 45% failed Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks.
There is something wrong here and PCI DSS is exposing it, not causing it. Too many merchants are going for the compliance certificate and not going for continuous security which would yield continuous compliance. We should not give up on PCI DSS unless, or until, VeriSign does another sampling and finds the same percentages are passing the PCI requirements and breaches continue to happen at the same rate and level as they do now.
We are not there yet. And until we are, I think the PCI SSC and the Card Brands need to keep pushing merchants and acquiring banks to go beyond seeing PCI DSS as just a checklist and see it for what it really is—basic security best practice that must be assessed, remediated and reported on continuously.