Does PCI Compliance Create a False Sense of Security?

The newspaper headlines tell chilling stories of thousands, even millions, of credit card records being stolen by hackers or insiders. What’s really frightening is that many of the businesses involved passed their security audits – meaning that many were considered PCI (Payment Card Industry) compliant.

But before you start questioning the value of these compliance initiatives, it’s critical to understand what went wrong, and what can be done to protect your customer’s data and keep your business out of the headlines.

In this three-part series we’ll examine some of the lessons learned and expose some of the myths about compliance and security and how to achieve both.

Compliant yet vulnerable

The first and most important lesson, echoed in the headlines, is that compliance does not equal security. A prime example is the retail supermarket and grocery organization that passed an American Express audit and assumed it was secure.

It came as a complete surprise to the company when it learned that 11 out of 14 stores had been compromised by an outsider. For nearly two months every credit card transaction at these locations was captured and forwarded overseas. And it didn’t take long to discover the source of the stolen information once the fraud was detected.

Being compliant was a “get out of jail card” for this company, but it certainly wasn’t free. The merchant was able to avoid the $7 million PCI-DSS fine, but was on the hook for nearly $500,000 in consulting fees, mandated audits and new network and security infrastructure.

This company will likely be held responsible for a significant portion of the $1.5 million stolen in credit card fraud. And this doesn’t begin to address the loss of revenue resulting from the negative publicity.

The lesson? Achieving network and data security is the real objective -- and compliance will follow.

Compliance mandates embody numerous well-established “best practices” for network security. They force you to think critically and objectively about your business, employees, policies, procedures and systems. It’s important that you identify where sensitive data is collected, how it’s processed and transmitted, where it’s stored and who has access to it at any number of points.

Taking appropriate network and data security measures, like many aspects of running a business, is a risk management/risk aversion equation. We buy fire insurance, but perhaps not flood insurance. That decision is based on a risk assessment and the fact that you simply cannot insure against everything.

Security is no different. The PCI-DSS (Payment Card Industry-Data Security Standard) regulations and others were born out of necessity when it became obvious that there was a general lack of understanding and agreement on what’s prudent -- and that the consequences of inadequate protection are too severe.

Security life cycle: prevention, detection, response

Understanding the core principals of the network security life cycle will provide you with a deeper understanding of the true intent and objectives of the regulations, and a solid foundation from which to meet them. The core components of the security life cycle are prevention, detection and response.

Prevention: Significant emphasis is placed on prevention, both within the security life cycle and within the compliance initiatives. Elements of prevention include requirements to use strong passwords, change vendor default passwords, encrypt sensitive data, restrict physical access, implement antivirus, conduct vulnerability scans and maintain updated/patched operating systems and applications. These defensive measures, all aimed at preventing a breach, represent a practical security strategy and all map to specific targets within the compliance initiatives.

Detection: While prevention techniques, policies and products play a significant role, none can guarantee that a breach will not occur. There is no product or technique that can ensure complete security, so detection via continuous monitoring plays a critical role in the security life cycle – it’s the early warning system. Is someone attempting to gain access, or worse, has someone already gained access to your network? The sooner you can answer that question, the greater the opportunity to prevent a successful breach.

Response: Most network and security professionals acknowledge that it’s not a question of “if” but “when” an incident will occur. With reasonable prevention systems and procedures, including real-time monitoring and analysis, you’re in the strongest possible position to respond, but it’s still critical to prepare and anticipate.

Your incident response plan begins with the system knowledge you acquire as you implement a prevention system, it’s enhanced by having a detection process that can provide timely and meaningful information, and capped by knowing where, how and who to involve in the response.

For more on how to implement the security life cycle, there is a wealth of free information available from organizations such as NIST, SANS and GIAC, to name a few.

The key here is that you must approach compliance with a “security first” perspective, recognizing that it’s a process not a product. Genuine network security comes from a combination of best practices, education, enforcement and most of all constant vigilance. “Checkbox compliance,” where the goal is simply to pass an audit, is a high-risk gamble where the stakes may be nothing less than the life of your business.

Michael Maloof is chief technology officer at TriGeo Network Security.