Don’t expect credit card security – or lack of it – to be magically transformed when the new year dawns on Jan. 1, 2015, the deadline for compliance with the Payment Card Industry Data Security Standard (PCI DSS) 3.0.
The standard, which sets security requirements for all companies that access, store or transmit cardholder data (CHD) and personally identifiable information (PII), was published nearly a year ago, on Nov. 7, 2013, and has technically been in effect all of this year.
Yet high-profile breaches of credit card data continue with alarming regularity.
Retailer Target suffered one of the largest breaches in history – 40 million credit card numbers and 70 million personal information records – last December, less than a month after the latest version of the standard was published.
More recently, P.F. Chang’s, the thrift store operations of Goodwill Industries International and Supervalu, owner of hundreds of grocery and liquor stores, have been successfully hacked.
Supervalu said there was also a related intrusion into stores it sold in March 2013 to Cerebus Capital Management but still provides with IT services, including Albertsons, Acme, Jewel-Osco, Shaw's and Star Market.
But in spite of that sobering reality, analysts tend to agree that the new standard (see sidebar below) provides a blueprint for best practices that, if observed in a “business as usual” way, will prevent most breaches.
Indeed, Bloomberg Businessweek reported in March that if Target had been more observant, it could have prevented the historic breach. The company was prepared for an attack, with a $1.6 million malware detection tool made by security firm FireEye, but failed to respond to its warnings.
“As (hackers) uploaded exfiltration malware to move stolen credit card numbers … FireEye spotted them. Bangalore got an alert and flagged the security team in Minneapolis. And then … nothing happened,” Bloomberg reported. “For some reason, Minneapolis didn’t react to the sirens.”
Those warnings came before the hackers had transmitted any of the stolen data, which means the company could have avoided more than 90 lawsuits, expenses that could reach into the billions, a staggering loss of market share and brand damage if it had simply responded to its compliant system.
Bob Russo, general manager at the PCI Security Standards Council (SSC), which develops and publishes the standards, has a measure of sympathy for Target. He said he has multiple layers of security at his three-family home in New York City. “We checked all the boxes,” he said.
Yet, at 5 a.m. one morning, “somebody pranced in and walked out with laptop. Thankfully it was encrypted,” he said. “But how did that happen? We forgot to do something the night before.”
And that, he said, is the point: Security standards can only be effective if a company is in compliance all the time. That comports with a long-time mantra of security experts, that “compliance is not security,” especially when companies scramble to meet compliance standards for a yearly audit, but then let things slide until the next audit is approaching.
John Shier, who blogs for Naked Security, agrees, but said that “snapshot compliance” remains a problem with the new standard.
Shier, who conducted a mini-debate with himself earlier this year with dueling blog posts over what he considers the successes and failures of the new standard, contended in the “Why it fails” post that, “one of the greatest failures of the PCI DSS is its compliance-as-a-snapshot nature.”
The standards do have a, “business-as-usual recommendation,” he wrote. “But that's all it is – a recommendation.”
Not so, contends Troy Leach, chief tech officer of the PCI SSC. “We hear that all the time,” he said, “and we wonder, ‘Have they actually read the standard?’ We’ve been very proactive in the continuous security approach – they are requirements.”
Leach said the council has, “published a couple of documents along that line. You’re going to fail if you’re looking at getting just a snapshot of compliance,” he said, adding that the standard explicitly calls for, “continuous monitoring of the environment. It’s not about being compliant for two months and then taking 10 months off.”
That resonates with Christopher Strand, compliance consultant at Bit9, who said the new standard is a, “more direct approach to encouraging businesses to ensure that security controls are actually effective at protecting critical data rather than getting a check mark.”
And Alphonse Pascual, practice leader – fraud and security at Javelin Strategy & Research, said any organization that implements the standards fully would be, “an incredibly hard target for hackers.”
But, there are mixed estimates about whether some merchants will be ready even for “snapshot” compliance by the deadline. According to the Verizon Business 2014 PCI report, only 10 percent of companies are passing their baseline assessment. On the other hand, Kurt Roemer, chief security strategist at Citrix, told Security Week recently that organizations are, “overwhelmingly ready for PCI DSS 3.0.”
Leach said readiness generally depends on the size of the company. He said most of largest – so-called Level 1 – “are prepared and aware. The small ones, not so much.”
Russo was a bit more emphatic. “Some of the SMBs (Small and Medium Businesses) don’t know which end is up,” he said.
That, they both agreed, means the council has to do more outreach and education. “We are working on how to bridge that,” Leach said. “We’re partnering with banks and merchant associations, we have an SMB web site and are looking at several other things this year.”
That outreach, and the move to include even the smallest merchants under the PCI DSS drew compliments from Joram Borenstein, vice president, NICE Actimize, who said while it is not perfect, “the council is quite logically attempting to level the so-called playing field by reaching out to smaller merchants with dedicated resources and options for those merchants.”
Shier, in his “Why it works” blog post also praised the council for demanding the same security practices from small merchants as it does from large ones, and for providing help to those small companies in the form of a, “handy PDF guide aimed at smaller businesses,” and lower-cost alternatives for getting compliance certification.
Even with that help, however, compliance will not be easy or cheap for smaller companies. Hardly any of them have the expertise to implement everything required for compliance without the help of a Qualified Security Assessor (QSA). Shier noted that while the standard allows smaller companies to do their own assessments, that would, “make as much sense as performing your own dental surgery.
“The PCI DSS contains over 200 sub-requirements,” he wrote. “Each must be fully understood and correctly implemented in order to stay compliant.”
Strand said the demands on smaller merchants are generally not as complex as they are for larger ones. But he said the expanded scope of requirements will have an impact.
One new element is that, “vendors must consider integrated systems and other connections into their credit card data environment that weren't traditionally considered in scope for PCI,” he said. “This will probably create more confusion in interpreting the requirements of the standard."
And Rich Mogull, analyst and CEO at Securosis, who has been critical in the past of the standard, arguing that it is aimed more at protecting the credit card companies than merchants and customers, said he doubts the new standard will change things much, given the complexity and cost of compliance.
“There is more of a move to continuous compliance, but really that’s not something most organizations are ready for,” he said. “It will be interesting to see if anything changes.”
If things do change, it may be at least in part because of increased awareness of the damage that a high-profile breach can cause.
“Data security has become a board-level topic of discussion,” Borenstein said. “Executives recognize that the impact of a serious card loss breach can have a significant impact on customer perception, stock price, and more.”
Russo said he hopes that fear will motivate companies to improve their security. “There are ways to prevent these things,” he said. “When details of breaches come out, they show that most of them were caused by very simple mistakes, like default passwords.”
That, he said, is neither difficult nor expensive to change. It just takes a different mindset. “I lock my car door every day, not just Monday, Wednesday and Friday,” he said.
PCI DSS Requirements
The PCI Data Security Standard has 12 requirements to provide a "baseline of technical and operational requirements designed to protect cardholder data."
They are as follows:
Build and Maintain a Secure Network and Systems
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5. Protect all systems against malware and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for all personnel