PCI Compliance: 'Scary how much people don't understand'

Credit EligibleAs a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

Diana Kelley, partner at Security Curve, an information security advisory company that performs PCI audits shares her insights into the PCI issues facing both financial institutions and retailers.

Kelley, a former information security analyst at Burton Group, was previously an information security advisor at top companies including CA, IBM, KPMG, Entrust, among many others. She is frequent conference speaker and has authored numerous white papers, research documents, articles and book chapters on the subject of information security.

Q: The not-so-simple art of PCI compliance - where are we in terms of maturity?

Kelley: Retailers are taking it very, very seriously. The only brand that is putting out numbers on compliance is VISA, which I find very frustrating. Their numbers are low, but absolutely looking better and better, especially in Level One merchants. I hear a lot of concern from Level Two and Level Three and Level Four merchants. Here in the US they're taking it seriously, in the Nordic countries and the UK they are taking it seriously, hopefully we'll see it spreading throughout Europe. There's been that mindset of "We're chip and PIN, and you people are idiots because you're still mag stripe over in the US" over in Europe, and they act as if the chip and PIN solution is invincible. They are not. It only changes the threat model, but it doesn't change the PCI requirement. Once the merchant has that PAN (Primary Account Number), as a merchant it doesn't matter whether they got that off of a card with a chip or off a magnetic strip card or it was handed to them written down on a piece of paper. The thing that matters is they have it now, and that is where PCI picks up, when a merchant possesses that PAN. Then they have to authorize it and store it.

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Healthcare Enews General Healthcare Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

With the Nordic countries and the UK taking PCI seriously, I hope it continues and spreads throughout Europe.

What I've heard from Bob Russo, general manager of the PCI Security Standards Council, is that over in Asia, because many companies located there have embraced adoption of ITIL and ISO 27002 standards, they're not as resistant to adoption of PCI as other areas of the world. What they're resistant to is spending more money because they've spent so much money on these very large compliance projects to become ITIL or ISO compliant. They're asking the council to look at what they've done and do some mapping to it, rather than going through this whole other fire drill of compliance work with PCI.

In the US, the problem I see when I speak to customers is that they don't get it. It is really scary how much people don't understand PCI. I talk very often about zoning or segmenting networks and people hear that and think "well, I have a switch in place" or "I have a firewall on my perimeter" and think they're done. Then when I explain what the term segmenting really means to their company, and give specific examples, such as segmenting the wireless ports or guest access to the network, then those same people reply "Oh, we didn't know that was what you meant." Then their faces turn white when they realize that their network was open to guest users.

Another conversation I had with a major retailer went along something like this, "Well we only have one data base administrator at our corporate headquarters and he has a lot of controls set when he goes to the database." I replied, "So at your retail stores how are you protecting the collection at the point of sale and transmission?" To which the retailer said, "Oh, that's included?" Again, the turning white when they realized that they did have a problem.

Q: What is your opinion of what happened at Hannaford?

Kelley: Card Systems was hacked when they were compliant with the predecessor to PCI, the VISA card security standard. Being compliant is no guarantee that the card information won't be stolen. It's no guarantee that there's no liability on the company that suffered the attack, and the second that the assessor leaves and anything is changed in the network environment, say a control is turned off, that could potentially bounce them back out of compliance.

With Hannaford we've still got pieces emerging from the case. What jumped out at me was that the data was taken during the authorization phase. A lot of companies that don't hold the PAN after authorization are in a little bit of a fantasy land if they think they can't be hacked because they don't hold the PAN or store it. It doesn't matter whether it was a 12-hour holding period or a 12-second holding period; the hacker only needs to see it go by in order to capture the number. Companies have to be very cautious about any time that a PAN is on their network. They only need a second to grab that number.