Thursday, April 02, 2009

Thoughts and Notes from PCI DSS Hearing in US House of Representatives

Ok, so it took me 2 days to organize my thoughts; meanwhile, I’ve seen some excellent accounts of this, as well as some truly sucky ones.

So, objective content first:

Second, key quotes from the hearing for those too busy/lazy/tired of the whole thing :-)

Intro by Chairwoman Clarke [full testimony PDF]:

“In light of the rising number of publicly reported data breaches, Chairman Thompson launched an investigation to determine whether the PCI Standards have been effective in reducing cybercrime. The results of this investigation suggest that the PCI Standards are of questionable strength and effectiveness” [for decreasing cybercrime and data theft].

“I do not believe the PCI Standards are worthless; in the absence of other requirements, they do serve some purpose. But I do want to dispel the myth once and for all that PCI compliance is enough to keep a company secure. It is not, and the credit card companies acknowledge that.”

“The bottom line is that if we care about keeping money out of the hands of terrorists and organized criminals, we have to do more, and we have to do it now.” [emphasis by A.C.]

“First, the standards have to be better because they are inadequate to protect against the methods used by modern attackers. Despite what the credit card companies say, for millions of small and large businesses out there, the PCI Standards are the ceiling and not the floor. The bar has to be raised.” [emphasis by A.C.]

“Part of the problem is that the standards do not require more frequent penetration testing. The only way to reduce breaches is by continuously testing and attacking a system through penetration testing and timely mitigation.” [emphasis by A.C.]

“Second, the payment card industry and issuing banks need to commit to investing in [payment] infrastructure upgrades here in the United States. In a response to the Committee’s investigation, one breached company noted that ‘the effectiveness of data security standards in inherently limited by the technology base of U.S. credit and signature debit card processing networks.’”

Follow-up by Chairman Thomson [full testimony PDF], who actually led the investigation of the whole problem:

“We are here today to learn about the private sector efforts to combat data breaches and cybercrime, and to assess the quality of the Payment Card Industry Data Security Standards. The Standards have been around for several years, but massive, ongoing data breaches at some of America’s largest merchants suggests that the Standards are inadequate to prevent breaches. The essential flaw with the PCI Standards is that it allows companies to check boxes, but not necessarily be secure. Checking boxes makes it easier to assess compliance with a Standard. But compliance does not equal security.”

“We have to get beyond check box security. It provides a false sense of security for everyone Involved, and it is ineffective in reducing the real threats. Companies need to understand that even if 100 percent compliance with the PCI Standards is achieved, hackers will continue to develop techniques to exploit the computer systems of companies holding cardholder data. You are not safe unless you continually test your systems.” [emphasis by A.C.]

We in Congress must seriously consider whether we can continue to rely on industry created and enforced standards, particularly if they are inadequate to address ongoing threats. I look forward to working with my colleagues on both sides of the aisle and across Committee lines to further explore whether government action is necessary to protect against these threats. One thing is certain: the current system is not working.”

I am unable to quote some other testimony, as I will get angry (e.g. testimony from a CIO [PDF] who thinks PCI is “onerous”, but has XSS and SQL injection flaws on his “compliant” site, more XSS here); let others who are more relaxed do that. In brief, these are the folks who think that PCI is waaaaaaaaaaaaaaaaaaaaaay more security than they think they will ever need.

Last, some minor league punditry – I’d will try to focus on highlights only as there was A LOT going on:

  • The purpose of the hearing was very simple: continue subcommittee’s investigation into whether PCI DSS helps to reduce cybercrime and data theft.
  • I was amazed about how well-prepared the congressmen were and how they asked the right questions (e.g. “Where are the metrics showing how many breaches that were prevented?”)! Their briefs/prepared statements as well as questions they asked during the hearing revealed that they did get to some of the “hidden truths” about security, compliance, data loss, cybercrime, etc.
  • There was a lot talk about “shifting risk”, mostly as if it is a bad things. Somehow nobody noted that shifting risk to where it belongs is exactly what is needed (why should an issuing bank pay if merchant loses the data?) Apart from this, there was a lot of very public and noisy blaming, from merchants to brands, and not enough “let’s solve this problem together!” And you know what? Blaming today –> legislation tomorrow –> you go to jail the day after…
  • At one point in the hearing point, I felt that a pillow fight was imminent!  The subject was card data storage by merchants. PCI limits such storage and mandates protections to what you can store (the “render unreadable” clause), but merchants keep saying “PCI makes us store data” (even though only some acquirers might and there are method to do chargebacks without PAN storage) and Visa/PCI Co stating the exact opposite. All this accomplished was made committee members angry (they said “this discrepancy is VERY troubling!")! BTW, here is a fun resource for merchants that was mentioned: Visa’s “Drop the Data!” site.
  • The theme that was mentioned many, many times by the government side was: we need more security testing, more ongoing monitoring and more focus on securing the data. Things like that made me think that committee members actually “get it.”
  • The subject of the future came up as well – most agreed that changes towards more secure payment networks and methods are needed, but Branden’s take on this is best: today, sadly, we have BOTH insecure payment method and insecure merchant networks. So, stop blaming and start securing!

Finally, for me the the key takeaway (BTW, missed by the media coverage) was:

Yes, PCI DSS was criticized by BOTH government AND the merchants/NRF, BUT for ABSOLUTELY OPPOSITE REASONS (!!!)

…Please pause here and think…

Congress essentially said “PCI is not enough; we need to do more! Do more now – or we will legislate” while the merchants said “PCI is way too much; we don’t, can’t and won’t do even less.” That to me was the central point to ponder – also, I hope that this hearing will lead to more focus on data security, more attention to continuous security/compliance, better compliance rules and more enforcement of such rules. This can only be good for everybody!

No comments:

Dr Anton Chuvakin