We’re clueless about PCI . . . Let’s blame the auditors

For whatever reason, it seems that every conversation that I’ve been having with security folks these days has tended to gravitate towards PCI compliance.  Maybe it’s just that SOX is so 2004, and NERC critical infrastructure protection compliance just hasn’t quite hit its’ stride yet.  In any case, PCI is a hot topic right now.  Heartland Payment Systems and more recently Network Solutions have had a wee bit of a problem with PCI data being breached.  A fellow member at the Central Indiana ISSA chapter brought some interesting PCI news to my attention at our monthly meeting last week.  First, some background information for your reading pleasure.  Utah based Merrick Bank has recently filed a lawsuit against Savvis, the auditor of CardSystems.  CardSystems provided processing services for Merrick Bank and was certified as having met Cardholder Information Security Program (CISP) standards, which were the predecessor to PCI DSS, by Savvis.  That was in June of 2004.  In May of 2005, CardSystems was breached.  I will spare you a full explanation of the legalese, and simply say that Merrick thinks that Savvis was full of it and that CardSystems should not have been certified as meeting CISP standards.  

So, who is at fault here?  Well, not having all the facts, it’s tough to say, so I will let this be slugged out in the courts.  I will say this however, that unless Savvis was completely negligent in certifying CardSystems, then this just becomes another case of folks thinking that a checklist is a cure-all for what may ail their IT infrastructure.  Case in point would be Heartland Payment Systems whose CEO, Robert Carr, had a Q&A session with CSO magazine regarding their massive data breach that occurred in January. 

In the article published last Wednesday,(http://www.csoonline.com/article/499527/Heartland_CEO_on_Data..) Carr places blame directly on Heartland’s QSA’s whose job he evidently feels was to save Heartland from itself.  In the article Carr says “(W)e certainly didn't understand the limitations of PCI and the entire assessment process. PCI compliance doesn't mean secure.”  My hunch about the compliance part is that’s what Heartland’s IT security staff has been trying to impress upon upper management all along.  To quote my fellow ISSA member, “management just doesn’t care until a breach hits home.  Until then, (the feeling is) it’s not going to happen to us.”  As I’ve said in earlier blog posts, there is a disconnect between the realities of compliance and what upper level management thinks about it.  So, management can blame the auditors for not telling them that “PCI compliance doesn’t mean secure,” or they can educate themselves and start listening to their IT security personnel.  Of course, managers are concerned about dollars and cents.  They often think of IT as a cost center, not an asset that can save them money.   Maybe they should look into what Heartland has shelled out so far and then rethink whether adequately securing their IT systems is worth it.

PCI DSS 2.0 released - What does it mean for you?

The new version of the PCI DSS requirements were released last Fall. If you were thinking that the new version would bring you enough work to occupy your every moment for the next several months, fear not. The changes from version 1.2 to version 2.0 are relatively minor, primarily clarifications to a number of existing requirements to give clearer explanations as to the true intent of the requirement. You can download the new requirements here.

The true cost of non-compliance

Cardholder data represents a large risk to any company that holds, processes, or transfers it. Fines levied by card issuers such as Visa and Mastercard can be extremely costly, not to mention the costs of notifying cardholders of a breach, legal action, and loss of your valuable reputation. While large enterprises typically take steps to ensure their PCI compliance, many small to mid sized firms fail to do so, believing that compliance is too difficult or costly.

The good news is that achieving compliance is often less difficult than imagined, and many requirements of PCI-DSS represent good information security practices you should already have in place. Deployment of other specialized tools such as integrity and compliance monitoring should be implemented to allow you greater insight into your PCI environment and automate checking of system settings for compliance. While achieving and maintaining PCI compliance is not without cost, costs should be weighed against the risk to your enterprise should a breach occur.

International Monetary Fund, Citibank Suffer Security Breaches

This past week, it was widely reported that both the IMF and Citibank’s IT infrastructure was breached. With a breach at Sony Online Entertainment and Sony Pictures occurring slightly more than a month ago, it appears that hackers are finding more holes in the IT defenses of organizations. In an eWeek article last week, Mark Hatton, president and CEO of Core Security, noted that deploying defensive technologies and hoping they keep the bad guys out is “clearly not working.” You can read the entire eWeek article on the Citibank breach here. For more information on the IMF breach, read the SC Magazine article.

Given that hackers seem to be readily gaining access inside networks, bypassing traditional “perimeter” defenses, what are companies to do? Certainly, perimeter defenses have their place, but now is the time to investigate other technologies that give multiple layers of security. In other words, ensuring a defense-in-depth strategy. Newer, advanced IT system integrity monitoring technologies such as CimTrak function as a last line of defense in IT networks, monitoring not only critical files, but also configurations on perimeter protection devices such as firewalls. Knowing when changes occur, such as a file being added or a port being opened, can mean the difference between timely detection of malicious activity and a breach.  Visit www.cimtrak.com to learn more.