David Spark here reporting for Tripwire at the 2010 RSA Conference in San Francisco.
What makes the mainstream news in security? High profile data breaches especially with credit cards. In an effort to improve the value of your organization’s security strategy and hopefully keep all of us out of the news, Bob Russo, General Manager of the PCI Security Standards Council explained what to expect from the new set of PCI standards.
PCI Security Standards Council (SSC) is an open, global forum responsible for PCI Security Standards. They exist because people simply don’t know what to do when it comes to PCI. PCI’s putting out three new standards this year. They are PA-DSS – Payment Application Data Security Standard, PCI PTS: PIN Entry Devices standard, and PCI DSS: Data Security Standard.
These are not moving targets. Each standard has a lifecycle. It involves a process of implementation, feedback, revisions, and discussions of revisions. And understand that PCI SSC only deals with standards, not compliance.
This is all about security. Russo argued that if you do this you will be secure, which is the opposite of what I’m hearing on the floor, that compliance doesn’t equal security.
Quoting a Forrester report from 2007, Russo said that 81% of businesses that do credit card processing store payment card numbers.
Most common question Russo gets is “How much is it going to cost to comply?” He doesn’t know the answer to that question. It all depends on what types of systems you’re currently running on. Legacy systems will have a harder time to make the leap, while a newer company can do it far more economically.
Why should you be obsessed about compliance? Because if you have a data breach, said Russo it may cost you up to twenty times the price of compliance to get your customers back.
After data breaches, forensics are showing that it’s taking two weeks to months for organizations to discover that there has been a breach. Why is it taking so long to discover the problem? People may have logging turned on, but are they checking it? Do they have alarms set to go off?
When people begin with PCI, they go through the same five stages of grief when we’re faced with our own mortality. It begins with denial, then anger, bargaining, depression, and finally acceptance. To help you through the process, they have a 12-point program to help you achieve six different goals. PCI SSC has a self-assessment questionnaire for five different types of merchants.
For payment terminals, many left unattended, the PIN PTS program will render the information on it useless if someone steals the terminal. They also have advice for retailers to prevent skimming. It comes down to doing physical monthly checks on your terminals.
They’ve got a roadmap for 2010. They’re currently going through feedback. Majority of their feedback is coming from outside of the United States. The feedback is significant, it’s conflicting, it’s voluminous, and it takes a long time to get through it all. Russo said they’re getting through it all. From there they’ll begin releasing standards aimed for the end of October.
Many organizations come to Russo after a data breach and say, “But we were PCI compliant. How could this happen?” And after looking at their situation they may have been compliant five months ago, but not at the time of the breach. He’s never seen a case of a company that had a data breach and was currently PCI compliant.
Make sure to watch my follow up video interview with Bob Russo, “If you don’t look at your log data, how are you going to catch data breaches?”
Check out more of Tripwire’s coverage from the 2010 RSA Conference in San Francisco.