Many organizations who are subject to PCI DSS compliance are probably asking “why should I spend the time and money required to pass a PCI audit if Heartland Payment Systems—and 2008’s victim Hannaford Groceries—passed their audit and were breached anyway?”. It’s a reasonable question.
The basic purpose of the more than 200 PCI DSS requirements is to provide best practice guidelines that, if followed, would reduce the risk of cardholder data, and other critical information, being compromised. In other words, the intent of the requirements is to improve IT security to reduce the risk of data compromise. What is happening far too often, unfortunately, is that PCI DSS compliance has become a project to “pass the audit at minimum cost”. And auditors and assessors are unwittingly contributing to the problem by trying to enforce the individual requirements of the specification rather than their intent. One such example is requirement 11.5 which states: “Deploy file-integrity monitoring software to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.”
Almost every organization I have seen that faces PCI compliance interprets this requirement as needing to install a piece of software that will show the auditor/assessor a report that proves changes to critical system and configuration files are being captured. That is it, and that is normally enough to get the all important audit check mark. And that is exactly why organizations that are making worldwide headlines can pass their audit have their cardholder data compromised anyway.
The 11.5 requirement requires that alerts be issued when unauthorized change is detected. The intent of this requirement is obvious—detect change to critical files and configuration settings, analyze them quickly to determine if each change was authorized and compliant and, if not, investigate immediately because security of the data is at risk. Determining if a change is “unauthorized and compliant” requires some analysis and if that analysis is not done, what’s the use in monitoring for change? Frankly, there is not much use.
If PCI DSS requirements are implemented according to their true intent—improve security to reduce risk of compromise—we should seldom hear about massive breaches and data compromise from organizations that passed their PCI DSS audit.