5 Myths and Realities of PCI ComplianceIn the wake of major security incidents such as the Heartland Payment Systems data breach, critics have focused on the perceived flaws of the Payment Card Industry Data Security Standard (PCI) and the role of qualified security assessors (QSAs).
QSAs in particular have been called out by critics such as Heartland CEO Robert Carr, who in a 2009 interview said that PCI audits done by the firm's QSAs were "of no value" in preventing the company's data breach.
PCI supporters, however, say it isn't the standard or standard-bearers that are flawed - it's how merchants and other organizations approach PCI compliance.
"'I was PCI compliant and I was breached' -- this is a very misleading statement," says Bob Russo, General Manager of the PCI Security Standards Council. "When a company is PCI compliant, it is within a snapshot of time. Companies need to ensure that their goal is to be secure and not just gain a compliance certification."
Organizations also need to accept that PCI compliance is a process - not a piece of paper, says Marcus Ranum, a well-known security practitioner and Chief Security Officer of Tenable Security. "The basic problem with PCI is that it is making security into a checklist, and good security can never be attained by a checkmark process," Ranum says. "What organizations need to understand is that PCI is a minimum baseline requirement toward security, and companies just cannot afford to focus on PCI alone in being secure."
The selection of QSAs "is very critical," says Ranum. Organizations should interview the individuals conducting the assessments, as well as get their resumes and list of client organizations they have worked for to fully understand their expertise in the field. "The standard is solid; there is nothing in the standard which needs change or requires to be addressed immediately," says Russo. "What companies must understand is that they need to focus on effective security practices and controls on a continuous basis and monitor logs, which often go undetected."
Following are five myths and realities detailed by PCI compliance experts.
PCI Compliance: Myths and Realities
Myth #1. A QSA is Responsible for SecurityA QSA is only a third-party assessor who comes in to ensure that the client organization by in large is in compliance with the PCI- DSS and has an effective security program in place. "There is no excuse for anomalies," says Ben Rothke, QSA and senior security consultant with BT Global Services. "If an organization has no security in place, the gaps are so huge that a QSA or any outside auditor cannot be of much help." Senior management at companies needs to take security seriously and implement effective controls and practices to minimize the chances of being breached. The tone has to be set from top down to cultivate a successful information security program at any organization. The QSA then steps into the role of a trusted advisor.
Myth #2. Companies can Instantly be PCI Compliant"'We use all applications and tools that are PCI compliant; therefore, we are OK on PCI,' -- that is a very common attitude with organizations," says Rothke. While there is software and hardware that can aid in a PCI compliance effort, there is no single vendor or product that fully addresses all 12 requirements of the PCI standard. To be compliant, an organization needs to understand the importance of security and invest in implementing best practices on a regular basis.
Myth #3. PCI is 'Enough Security'"Most organizations think that PCI is all they have to do to be secure," says Blake Huebner, QSA and PCI team lead at NetSpi, a security assessment and program development consulting company based in Minneapolis, MN. "'I passed the audit; therefore, I am good and safe.'" This is far from reality because the QSA's role is to validate the environment and practices associated with card holder data and privacy information, as advocated by the PCI Council, and ensure effective controls are in place. "However, this is a point-in-time audit and is not reflective of changes made throughout the year," says Huebner. PCI is just a necessary base for security and focuses primarily on data security surrounding the card holder's information without taking into account intellectual property, privacy of other data and information etc.
Myth #4. PCI is Confusing"We hear organizations say that PCI is confusing and not specific," says Huebner. This attitude is mostly because critics have not invested the time and effort in going through the PCI DSS documents which clearly explain what processes and steps to follow and how to validate the changes addressed," he says. Companies need to spend time to read and understand the documents to gain clarity.
Myth #5. PCI is 'Too Hard'At the end of the day, the PCI DSS is simply about good information security fundamentals, supporters say. "Any organization with a formal enterprise security strategy will find that PCI is not a daunting thing to deal with," says Rothke. PCI is a basic security practice, and this essentially becomes hard for organizations only if they do not have an effective security program and controls in place.
See Also: How to be a QSA