Monday, March 30, 2009

Thoughts After Chicago “PCI Dinner” Panel

As I mentioned before, I did this other panel aka “PCI dinner” in Chicago with Branden Williams, Davi Ottenheimer and William Cook, a notable IP/security lawyer from Wildman Harrold. Apart from washing down filet mignon with Sterling cabernet, a lot of fun discussion on PCI DSS took place and a few surprising insights were born. Compliance vs/with/in place of/against Security was definitely one of the major themes.

First, here is one of the insights that appeared. The discussion about PCI DSS and breaches led to a question: “Yes, companies suffer when they experience a breach; but do they suffer enough?” What makes one credit card breach almost unnoticeable on the company books (see: TJX), while the other leads to company’s near-demise (see: CardSystems)? What seemed to emerge was: if the victim company admits failure [of at least admits “a little something” :-)], seems to be trying hard (or, at least, “is seen as trying hard”), goes public with the breach soon enough, etc, the regulators are likely to be more lenient and not penalize it that much (sorry, but $150k fine is NOT “that much”!). On the other hand, companies who are seen as negligent even after the breach, claim innocence despite the facts, behave arrogantly (“No, it is NOT our fault! Screw you! Sue us!”), are more likely to be penalized severely and maybe driven out of business. What do you think?

Another theme, repeated here as well as during the previous panel, was that a nice fat data breach is still the best motivator for security spending and implementation. Definitely, it is “neat” when the breach happens to a similar company that you know well, you get the motivational power without the disclosure loss and all the post-incident frenzy. But then it “decays”: people start questioning their security spending approximately one or two years after the breach. Organizations end up overspending on security right after the breach; instead of spending smaller amounts of money over time. How do you prevent that? I think this shows some uber-desperation for good security metrics!

Next, “outsourcing PCI” via 3rd party credit card processing is seen as a way to replace the security issue with the contractual issue. If you suck at security and you don’t suck at contracts, the whole “PCI in the cloud” thing kinda makes sense. I suspect that, sadly, many companies know how to deal with contractual issues better than they know how to deal with security issues…

A lawyer brought a good point about “director/officer liability”: compliance does invokes director or officer liability for failure to comply (with, say, PCI), all the way to personal liability. On the other hand, security is rarely seen as something that threatens CEO directly and personally.

The subject of incompetent, ignorant, negligent QSAs came up in the informal discussion. Oops, sorry, I am not at liberty to say more :-) One thing we discussed was: what is more common reason for being “maybe compliant but definitely not secure” - a negligent QSA missing stuff OR a negligent organization, which deceives or misleads their QSA? I was surprised to hear that it was the former. For example, a QSA asks a leading question (“You do this, don’t you? You have this handled just fine, riiight?”) and the organization responds “Yes.” with no additional details. No other information is provided and the answer is accepted.

What deeply shocked me was that somebody reported that a well-known QSA firm was supposedly seen using THE SAME “PASSING” RoC as a template; they just change the assessed company name (!!!) When asked, why don’t their …. victims… eh… clients “rat” them to the council’s QA program, they, reportedly, responded: what if we will be seen as liable? What if a new QSA will “make us do more”? I also learned how to “opinion-shop” for QSAs: ask a bunch of questions to a bunch of QSAs and pick one whose answer presents the smallest gap between your environment and a compliant state (yes, really!)

Here is a fun one too: audience also called for the card brands to solve the problem by creating a more secure payment system. Some suggested that PCI is card brands’ way “clearing risk from their books.” I too would like to see us adopt a more security electronic payment system …. in my lifetime. Also mentioned was how “chip-and-pin” moved fraud from Europe to US, rather than eliminated it.

Also, a lawyer suggested that organizations must not change anything after the breach so that good evidence can be collected. He said that it is even important to indemnify the employees from past security mistakes at the moment of the breach. If you do not do this, a lot of things will be changed by the employees, who are afraid of being blamed for the breach. Good advice – but hard to follow – here!

Finally, we also did a quick unscientific poll: who do you fear more – a hacker or an auditor? It goes without saying that auditors won this round as well, just as the last round. Its OK, folks, just stay 0wned, it’s all good. Just don’t fail the audit :-)

Possibly related posts:

Dr Anton Chuvakin