Friday, February 27, 2009

PCI DSS and Data Breaches: Perception and Reality

Now that time has passed since the Heartland credit card data breach (even though we might have another one at our hands), it is a good time to reflect on PCI DSS a bit more. I am AMAZED about how much deep [shallow too!] thinking and, even, soul-searching, has transpired in our community as a result (see all this covered under in my On Heartland I, II, III and IV series). I already posted some of my own thoughts on this in Compliant + 0wned. So, what else is there to reflect on? Plenty!

First, some folks hate PCI DSS because it is – gasp! – not perfect. Some of these same folks have hated firewalls since “firewalls are full of holes,”  hated IDS since “they are trivial to bypass” and hated logging since “good hackers never get logged” (what a bunch of crock :-)) - many also hate “the whole compliance thing” since it is “not security.” Yes, in our industry some people will hate everything that will not stop any and all attacks from an attacker of absurdly arbitrary skill level. And since such a thing doesn’t exist and won’t exist – they just hate everything but their “31337 mad sk1lz.”

To such I say: try to get out more! If you look out of your high-floor ivory tower window, you’d see there is a ginormous crowd of people who confuse a firewall with a fire-extinguisher! And those people have your credit card data, SSNs and medical records in their computers!  Get it? IF PCI DSS made ONE of these people use a firewall or update their AV (after it lapsed back in 2005), we are all better off already!

Second, PCI DSS perception has firmly split from PCI DSS ground reality. I have a love - hate relationship with “perception is reality” maxim; in some cases it rings true, it some cases it sounds silly, but ends up being true, and in some cases it is just plain idiotic and makes you live in your own world of illusions. I’ve long been tempted to summarize the whole PCI DSS perception vs reality:

Perception Reality
“PCI failed” PCI DSS works as expected – and not perfectly
PCI DSS is sufficient for good security PCI DSS is necessary, common-sense basic security
PCI is a complete security checklist PCI is a base list to build upon and grow
Everybody is just doing the minimum of PCI to get rid of it For many organizations "this “minimum” adds much needed security!
Breaches prove PCI irrelevant Breaches prove we need to drive security even more – and PCI helps with it

So, once again:

  1. PCI was never supposed to guarantee "intrusion-free"  operation, nothing did, does or will do.
  2. No canned checklist is “sufficient for adequate security,” now or ever.
  3. It makes no sense to write prescriptive checklists for the impossible (e.g. “your defenses MUST stop all known and unknown malware as well as ‘mal-hard-ware’”)
  4. If you find something to be useless for you, think – are you 1 in a 1,000,000? Have you thought about the remaining 999,999 people?
  5. There are always people who will avoid common sense, drive without seatbelts and ignore PCI DSS: so, Darwin Awards 2008 (here too) are out!
  6. Yes, there might be pressure to choose “an easygrader QSA” for your assessment; but see item #5 above. Then remember – you are still responsible for the breach!
  7. Similarly, PCI does not “create” a false sense of security due to #1 and #2 above. If you magically “feel secure” since you’ve “done PCI,” see #5 above :-)
  8. Finally, if something is NOT perfect, it does not mean it is useless.

To summarize, this and other previous breaches definitely do NOT prove PCI useless or inefficient.  They simply serve to remind us that PCI DSS was established as a standard of minimum care for card holder data security. It never meant to be sufficient for all security  or “a security silver bullet.”  Today as much as ever, the organizations needs to think about their specific risks and implement controls for dealing with said risks. Following 12 PCI requirements is a great start, but being secure cannot be reduced to a checklist:  PCI does not replace addressing the risks to your business; however, it is an awesome start for those who cannot even spell  the word “risk” today …

What is the perfect ending for this post?

I think  quoting illustrious Dave Aitel is in order: “Who here doesn't think all the payment processors are 0wned and probably always will be?”

Possibly Related Posts:


WHBaker said...

@Anton: Thanks for the refreshing read on a Sunday evening. I find I often agree with you when it comes to PCI: it's not perfect, was never meant to be, doesn't guarantee breach-free operation, it isn't the end-all-be-all of security, but does have merit. Many of the breaches we investigate would likely have been prevented if they were actually (not just QSA-deemed) compliant. Some would likely have not been prevented. Big deal.

There is always room for improvement but I definitely don't count myself among the "PCI is worthless because breaches happen" camp. I also am not in the "exercise is worthless because people still get heart disease" camp or the "seat belts and airbags are worthless because people still die in car accidents" camp.

Anton Chuvakin said...

Thanks for the comment; it is kinda sad that "everybody in the know" agrees, but many in the rest of the world do not...

Anonymous said...

@Anton Thanks for that post. I flagged it when I saw it come out but didn’t have time to read it. I’m glad that I made time to come back to it.

I think the whole argument as to whether PCI, or any standard/regulation for that matter, is worthwhile is a waste of time. As you have said these are good starting points from which to build a good program. The problem is that so many people (both in our profession and outside it) see compliance as an endpoint or goal. IMHO, Until we can change the fundamental way that people look at compliance activities we won’t be able to rise above this argument and start focusing on risk rather than compliance.

Anton Chuvakin said...

>see compliance as an endpoint or

Exactly!!! That is what is causing so much trouble, both in reality and in perception realms...

Thanks for the comment!

Dr Anton Chuvakin