PCI Shrugged: Debunking Criticisms of PCI DSS

PCI DSS is imperfect, but Ben Rothke and Anton Chuvakin say the standard is in security's best interest. Here they refute common complaints and criticisms of PCI DSS.

PCI is a pragmatic standard which requires security-comatose organizations to wake up to their responsibilities. And while PCI is only required for companies dealing with credit and debit card holder data, its relevance is germane for any organization.

The writers of this article are not suggesting PCI DSS is flawless. Yet even with its limitations, is it better than the status quo of self-enforcement, or sadly, security negligence. Information security professionals who should know better are attacking PCI for baseless reasons. The standard is one of their most effective weapons for getting attention from senior management.

Let's now take a look at some of the issues/complaints leveled against PCI and see how they really stack up.

Complaint: PCI is a Distracter from Security and Risk Management?

A common complaint among those who have to deal with PCI on a regular basis is that being compliant with the payment card standard takes away from the time, money and effort that could be better spent on core information security issues. But we beg to disagree; everything about PCI is core security. One cannot start dealing with advanced security and technology topics, such as thwarting loss of intellectual property or insider threat protection, before the PCI-prescribed basics such as network control, anti-malware, system logging and more, are in place.

Previous data security efforts, such as Sarbanes-Oxley, have encouraged a check-box approach to compliance. However, those organization organizations that have developed a formal information security program will find that PCI compliance is useful for security and not an onerous distraction. The 6 PCI DSS control areas and 12 objectives all correspond to good security practices. Therefore, if an organization has a mature security program, PCI DSS will be easy. If they don't, PCI DSS presents a perfectly logical place to start.

While an organization can attempt to pursue PCI DSS compliance for compliance sake without regard to security, such irresponsible behavior can hardly be blamed on PCI DSS standard itself. Thus, most security practioners who feel that PCI DSS detracts from security probably do not understand PCI or the fundamentals of information security.

Complaint: Data Breaches Prove PCI DSS Useless?

The Heartland breach has been used extensively by the media to show that PCI is ineffective. While the dust has yet to clear from Heartland, let's assume for a moment that this large payment processor was 100% PCI compliant. True, we do know that Heartland was most likely not complaint at the time of the breach, but bear with us. One should not assume that compliance necessarily means that breaches can't occur. A simpler explanation applies here: they were breached despite being PCI DSS compliant.

It is surprising to the authors that security professionals will hold the view that following an external guidance document can guarantee 100% security to any organization. A person can walk out of a doctor's physical in seemingly perfect health and drop dead before their reach their car. That does not necessarily mean that the doctor was incompetent or that medicine is a faulty science! In much the same way as a doctor cannot guarantee the health of the patient, neither PCI nor any other regulatory guidance can guarantee that there will not be breaches. 100% PCI compliance does not guarantee an entity is 100% secure or even as secure as they need to be. Complexity is the worst enemy of security and today's payment systems and merchant networks are far too complex to be made bullet-proof. If Heartland proves anything about PCI, it is that basic PCI DSS security is not enough.

Complaint: PCI is Just Security Theater?

Security Theater is a term popularized by BT CSO Bruce Schneier. Schneier used it originally to describe what he see as the ridiculous TSA security measures in use at US airports. This security theater gives the semblance of security, but with no real security benefits nor risk reduction.

Can PCI be used as security theater? Certainly it can. An organization can quickly follow the letter and not the spirit of the standard just to get the auditors off their backs. They can procure some security appliances and other hardware, find a QSA (Qualified Security Assessor) who is not aggressive enough and pass their assessment.

However, if done correctly and seen as a security starting point rather than a compliance end point, PCI is the antitheses of security theatre. PCI compliance is simply taking 12 core areas of security and implementing them. PCI is not the alpha-omega epitome of security; it is meant to be used as a lower limit of security, not the ultimate goal.

Complaint: PCI a Dumb Checklist?

Noone likes peas. As children, Mom made us eat them. Maternal verification of pea consumption was made by simply looking at the plate; an empty plate meant a belly full of peas. Of course, Mom could have verified consumption by checking the pea-covered floor, or looking at the dog's green teeth.

For many, PCI compliance means emptying their plates via yet another compliance checklist. They often do the bare minimum in the hope that they can gain compliance and make the QSA go away. At times they may even lie to their QSA or on the Self Assessment Questionnaire (SAQ).

Organizations that are serious about security realize that checklist-based security is not the same as risk-based security. Far too many organizations have an audit-based mentality with the frame of mind of evading the auditor, as opposed to a risk-based mentality of protecting the cardholder data.

PCI DSS is a good start of a security program, not its end. Checklists do have their place in security, but a security program cannot be reduced to a checklist; attempts to pretend that an organization can 'follow the checklist to become secure' are guaranteed to fail. As Bruce Schneier has noted: security is a process, not a product.

What the Future Holds

At the Visa Global Security Summit in March, Ellen Richey, Visa Chief Enterprise Risk Officer, stated that despite recent data breaches at two payment processors, PCI DSS remains an effective security tool when implemented properly. Recent events revealed that breached organizations seemed to have disregarded PCI's common sense security guidance and were later removed from the list of compliant organizations. Thus, every breach further proves the need for a comprehensive payment security standard.

Not only is PCI not dead, it is alive and well and maturing. In its current version 1.2, it is still evolving, but it is clearly the best we have. The authors challenge anyone to find a better standard or regulation. PCI has helped countless organizations to jumpstart their security programs from scratch. It helped them move from security ignorance to first addressing the basics and then to their own security nirvana.

Most of those who make baseless criticisms of PCI simply lack an understanding of the fundamentals of information security and risk; they also lack an understanding that many organizations need to learn to "stumble" with security before they can walk, much less run.

Conclusions

Most attacks against PCI boil down to we don't like it or PCI is useless, rather than a direct critique of the standard, or ways in which in can be improved.

PCI has taken the masses of security illiterate companies and forced many of them into some semblance of security. It has showed given them 12 specific requirements in which to start their security program. The biggest positive of PCI which fully justifies its continued existence is that it shoved security in the faces of people who managed to live through the wormy 90's and the lossy 00s without paying much attention to information security, under the guise of "it can't happen to us".

PCI is not perfect; but neither is the world in which we live. PCI is not security pixie dust to magically make security-ignorant organization secure despite itself. If an organization is hell-bent on ignoring security, PCI will not make them security conscious. If they want to become more secure, PCI DSS guidance can be of service to them.

Ben Rothke CISSP, QSA (ben.rothke@bt.com) is a Security Consultant with BT Professional Services and the author of Computer Security: 20 Things Every Employee Should Know

. Dr. Anton Chuvakin is involved with PCI DSS compliance at Qualys. He is an author of the book Security Warrior
and a contributor to books PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance
, "Information Security Management Handbook", "Know Your Enemy II", "Hacker's Challenge 3", "OSSEC HIDS" and others.

Insider: How a good CSO confronts inevitable bad news
Join the discussion
Be the first to comment on this article. Our Commenting Policies