The dangers of cramming for your PCI test

I am currently working with a tier 1 PCI company, assisting it with various compliance tasks. As part of the project, I am simultaneously preparing it for its annual PCI audit, responding to audits by other organizations for which the company is a key third party, and reviewing organizations that are its key third parties. It seems that with the focus on PCI compliance these days, everyone is auditing everyone else. Despite this, we don’t seem to be reducing the number of credit card breaches, or actually making organizations more secure. 

According to the Verizon 2015 PCI Compliance Report, the number of security incidents is still growing, and at a significant rate –- 66% per year. The same report demonstrates that despite all of the PCI audits happening, most companies are still missing the mark, with 80% failing their interim assessments. Verizon concludes from this that organizations “failed to sustain the security controls they put in place.” 

I would characterize the interim assessment failures a bit more bluntly –- organizations “cram” to pass their annual assessment, and return to business as usual the day after the audit ends. This is the point at which compliance and security diverge. Being compliant does not make one secure, despite passing an annual assessment. Many tier 1 companies, such as my customer mentioned above, get this, but many others, including some top card processors, don’t seem to understand. 

This “check it off and forget it” approach to compliance can be worse than never being compliant in the first place, because it can lead to a false sense of security. As the Verizon report puts it “data breaches are rarely ‘smash and grab’ affairs.” Hackers going after a major company are usually in it for the long haul. So, the company passes its annual certification, at which point, company management, reassured by the audit results, moves on to other things. Procedures gets lax again, and the hackers are there waiting for an opening. 

Speaking about real versus perceived security, the stakes are high, with card fraud losses closing in on $50 billion annually in 2013. In its research, Verizon found that of consumers who suffered data loss as a result of a breach, 69% were less likely to do additional transactions with the company losing their data. Also of concern to organizations subject to PCI is that court precedent on card breaches is shifting financial responsibility from the banks, where it has traditionally resided, to the company responsible for the breach. As an example, a recent federal court ruling on the Target card breach found that banks could seek to recover their losses from Target. 

So how can you be secure and compliant without having to cram for your test? The following are some practical suggestions: 

Begin with achievable policies 

The PCI standard allows for a good bit of discretion on how policies are formulated, as long as each objective is achieved. Resist the temptation to write an elaborate policy that you will never be able to follow. Instead, your policy should match the specific needs and abilities of your company. Find as simple an approach as you can come up with, and follow it. For example, I could write a 20-page, comprehensive incident response policy and procedure, or I could create one that was simple and effective at only two pages. The extra 18 pages do not necessarily make it better for you.

Keep notes 

If at any point you are subject to an outside audit, it will be critical for you to demonstrate that you are following your achievable policies (in the compliance world, we call this evidence). The best way to show this is to make notes as you complete each policy task, and retain the notes — for at least six years.

Automate where practical 

I am not a fan of trying to throw money at security, but there are affordable automation solutions that can help to lighten your load, with plenty of bang for your buck. I would include in this category such tools as log consolidation and analysis, web vulnerability monitoring, and intrusion prevention.

Major on the majors 

PCI is a broad standard, but there are elements that are particularly important. These include an annual risk assessment, restriction of access to cardholder data (CHD) to those with a need to know, a designated security officer that is really on top of things, incident management, and protection/encryption of CHD. I am not suggesting that you can ignore the others, but your effort should begin with the critical areas.

Have someone in charge 

There needs to be someone in charge of making sure your policies and procedures are being carried out on a daily basis. In a perfect world, this would be a full-time employee with nothing else to distract them. The world is less than perfect, however, so a compromise may be required. It is OK to compromise on how you allocate personnel time for this, but not OK to compromise allocating it in the first place.  

Bottom line: Pursue compliance that accompanies real security, and that continues well after your assessment is complete. Your business, and the integrity of my credit card number, depend on it.