PCI DSS: No Angel, But Certainly Not the Devil

Fifty years ago, The Coasters had a top-10 hit with the song “Charlie Brown.” The song is best known for the phrase “Why’s everybody always pickin’ on me?” Charlie Brown was a loveable character who was often beat up and picked on for no reason.

Far too many in the industry similarly see PCI as such a loser and criticize it relentlessly. In our article PCI Shrugged: Debunking Criticisms of PCI DSS from April 2009, we wrote that the PCI DSS is a valuable standard. We did not then, and do not now, feel that the PCI DSS is perfect, but it is in the best interest of the industry and consumers that it be maintained, developed and expanded as well as adapted to today’s threats.

However, let’s briefly step away from this debate and consider this: imagine a large distributed retailer that has somehow survived without investing in information security. Yes, they’ve updated antivirus subscriptions on their desktops and have added a firewall, but they haven’t gone beyond that (it goes without saying that this said organization was consistently compromised by malicious hackers).

The advent of PCI worried this retailer and now they have to take security actions like encrypt, log, monitor, educate employees, and more. However, this retailer is now fighting PCI with all their strength since they believe that “PCI is too much security.” Their worldview of security is that “no security” is “just enough security.”

This is but one example of the types of the organizations that PCI is meant to put a squeeze on. That is why we’d like to remind PCI critics that as they whine about PCI as too little, too late, organizations that handle your sensitive data are conducting gross negligence in regards to security. Please get out of your perfectionist ivory tower and see the real world; a world full of security laggards — not leaders that you are accustomed to! Our justification of PCI is it needs a refresh again in reference to the article PCI Security a Devil, “Like No Child Left Behind.” In the piece, Joshua Corman of The 451 Group takes a number of swipes at PCI, makes a few analogies, but offers few facts.

We will briefly counter his objections as well as remind everybody that yearning for pre-PCI world is reckless and dangerous, since for many organizations “PCI level” of security is way above their current posture, however unbelievable it may sound to security literati.

The authors wholeheartedly agree with Corman that organizations that have made PCI and compliance the basis of their information security policies probably don’t understand PCI or security. Still, for many organizations that had no security program whatsoever, even something based on PCI will be a huge improvement over having nothing and doing nothing.

He compared PCI DSS to the No Child Left Behind (NCLB) act, and we are sure he would be curious to learn that more than a few countries with standardized education programs are producing higher quality graduates than those without such standards. NCLB has increased educational funding, improved accountability in education as well as offered the first attempts at metrics-based educational assessment; so there is absolutely no shame in this comparison.

When Corman writes that “compliance with such laws and industry standards as Sarbanes-Oxley and PCI drives companies to spend far more on security than they might otherwise”, he misses the point entirely. PCI push companies to do far more for security than their old negligent approach. Many companies start there and then eventually “graduate” to having a solid security program. Once they get there, any new standard or regulation will be easier to retrofit. Please don’t confuse companies clueless about security with PCI DSS guidance. PCI was never meant to “cure stupid.”

Perhaps the most egregious comparison Corman makes is to lump PCI with SOX. The two have truly nothing in common. SOX wasn’t the best course of action — rather, it was an imprudent regulation created by a Congress that did not know what the problem was or how it happened. One is hard pressed to find anyone who would say that the cost of SOX compliance was equal to its benefit.

PCI is a self-generated standard, created by organizations that understood the problem at hand, and then crafted a solution to address it. Ask yourself, do you want your merchants regulated by Congress or the PCI Council? Unfortunately, the third choice — to regulate themselves — has not lead to any measurable improvements in security of sensitive data. Within PCI, there are merchant levels. Visa and MasterCard divide merchants into 4 levels. Globally, there are perhaps a thousand level 1 merchants, such as Amazon, Home Depot, Continental Airlines, etc. Many of the level 1 merchants take information security seriously and diligently guard both their sensitive data as well as payment card data.

But there are millions of level 3 and 4 merchants that are largely oblivious to security, despite having lived through the virus-infested 1990s and “wormy” early 2000’s. PCI is their first foray into “alien” concepts such as encryption, monitoring, segmentation and strong passwords. Many level 1 merchants have addressed their risks and appointed staff to deal with security on an ongoing basis (despite some notable exceptions). Level 3 and 4 merchants deal with their risks by denying them since they don’t understand them. PCI is an extremely useful shortcut to addressing at least some of their risks.

Overall, lots of people have no idea about their risks — despite all the media noise and security punditry. PCI is a shortcut to mitigating risks, albeit an imperfect one (it is also the best one we have today). DSS allows these smaller merchants to start somewhere and then to make their own mistakes on their journey to security maturity. And even while you may think that the level 1 merchants were not enlightened by PCI, some definitely were.

Specifically, Corman says that “There are really bad people out there doing bad things and few pay attention to things like state-sponsored attacks and cyber warfare. This is because everyone’s focusing on compliance.” This is not even half of the truth: this is because people are not focused on security OR compliance; they are simply ignoring both.

Ultimately, standards and regulations are by their very nature contentious. Anyone who has been involved with a standards body, from the IEEE, IETF, ISO, etc. understand this impossibility. While Corman calls PCI the devil; in these standards meetings, participants often call each other “the devil”, and other uncouth terms. Still, consensus that emerged at the end helped improve the world, in most cases.

Finally, Corman states that security practitioners “hang on to the wooden shields — firewalls and AV — which don’t really work against new threats”. He does not explain how throwing away such admittedly imperfect defenses will help you win or even survive the battle? PCI might be the wooden shield of security, but I’d rather be protected with a wooden shield than with nothing. Don’t send us back to the pre-historic, pre-PCI world where our sensitive information is protected by wishing away the threats and negligence!

We respect Corman’s criticisms of PCI. However, slandering PCI as the personification of evil and the enemy of humankind, we suggest that he joins the fight of arming organizations with knowledge of how to use PCI DSS and other standards to survive in the world of today’s threats. Together we will be able to build steel shields and eventually evolve to more effective defensive weaponry.

Ben Rothke CISSP, PCI QSA (ben.rothke@bt.com) is a Security Consultant with BT Professional Services and the author of Computer Security: 20 Things Every Employee Should Know .Dr. Anton Chuvakin (http://www.chuvakin.org) is a recognized security expert in the field of log management and PCI DSS compliance. He is an author of books Security Warrior and PCI Compliance, 2nd edition (December 2009) and has published dozens of papers on log management, correlation, data analysis, PCI DSS, security management — see list www.info–secure.org.