PCI Put to the Test by Recent BreachesInterview with Bob Russo, head of PCI Security Standards Council
Bob Russo, general manager of the PCI Security Standards Council shares his views on what happened at Hannaford, as well as other topics.
As the "face" of the Council, Russo works with representatives from American Express, Discover Financial, JCB, MasterCard Worldwide and Visa, Inc. to drive awareness and adoption of PCI-DSS. He also oversees the Council's training, testing and certification programs for Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs) and related staff and serves as a key resource for the certification process. He has more than 25 years of high-tech business management, operations and security experience.
Q: What is the PCI Security Standards Council opinion of the Hannaford/Okemo breaches. Hannaford claims that it was PCI compliant at the time of the breach. What happens if they are found to have been compliant?
Russo: Unfortunately, I can't answer if they were compliant at this point. It's easy to stand up and say "I was compliant," but I haven't seen any of the forensics yet, so I can't tell you. What I will say with absolute certainty is that if in fact they were compliant, and there is something that needs to be updated in the standard, we will do it. From the things I have been reading about the case so far, I don't see any deficiencies within the standard. The standard has controls in it to cover all the areas I've been reading about. Had they been compliant with those areas, I don't see how this could have happened. Until I have the information, I can't make an absolute statement that they were compliant or they weren't compliant or the QSA screwed up, the merchant screwed up, or there's a new exploit we've never seen before because we don't have enough information. The standard is solid, from everything I've been reading. I don't think it is the standard that will need to be adjusted. Let's give everyone the benefit of a doubt until all the information comes out, and Hannaford has said they will make everything public when the investigation is complete. We'll have to see what shakes out.
Q: In the case of Hannaford and Okemo breaches, the data was taken in transit, what's the council's take on what happened?
Russo: The standard has provisions to cover this on a private network. From what I'm reading about the case, it occurred on their private network. If they're following the standard, there should be no way that a sniffer could be placed inside the network. Even if they did get a sniffer in, with monitoring you would pick it up and realize something was there. I just don't see how it was possible. There are a lot of "ifs" in my mind on this, and until I get the information on the forensics to see what happened, I really don't know. All I can say is the standard is solid and addresses those "tootsie pop" network setups (hard on the outside and soft on the inside). There are enough controls in the standard to prevent something like this from happening, and to say to all the merchants that now they have to harden the inside of their networks would be unreasonable and cost a ton of money. I think merchants would be up in arms. I will reserve judgment until I see the final set of forensics on this. There may a crack somewhere in the PCI armor that I don't know about, but from what I've seen so far the standard is solid.
Q: Tell us about the PCI -DSS, and how it has evolved.
Russo: Each one of the five major credit card brands has instituted its own compliance program for the past four or five years, and each one maintains its own compliance program. They're all somewhat similar. When PCI was first talked about, everyone interpreted a different way -- a merchant could get different answers to the same question from the different brands on compliance. So the brands came together nine months before September 2006 and began talking about adopting one standard that could be the basis for all of their compliance programs. That became the PCI Standards Council. What PCI ended up being was one standard that each brand could accept as the foundation of their separate compliance programs. This was a milestone in the industry. These five card brands are some of the fiercest competitors you'd ever want to meet, and the fact that they came together to hammer this out for the good of the industry was nothing short of a miracle.
Q: What's your role as general manager for the Security Council? How does the council operate? What are some of the accomplishments so far?
Russo: I am the face of the council, and my job is to manage the different standards, to vet and test them and make sure all of the assessors are up to snuff; to make sure that everyone is trained and we are all playing on a level playing field. In 2007, in my first full year with the council, it was a branding exercise. I was evangelizing what the standard means. I let people know what the standard is (and what it isn't), what the council does (and what it doesn't do), and how the standard helps. People think PCI is the end all, be all when it comes to compliance - we have nothing to do with compliance. Compliance is handled specifically by the brands. We are in charge of the standard and making sure it is as good as it can be. The first year. I practically lived on airplanes, and in 2008 it hasn't been much less. I will have been in Las Vegas seven times in the last couple months as an example.
Some of the things we can look back as successes in 2007 are the formation of the participating organization group (as we call it) to help the council evolve the standard and make it better. We were looking for banks and merchants and people who were actually involved with the standard on a daily basis to join this group. Initially we thought we would have 50 or so organizations join. Right now we are hovering in the neighborhood of about 450 organizations. It was a bit of a surprise -- we thought only the biggest banks would want to be involved in the council. But merchants flocked to join the participating group; they want to be a part of it too. We are getting feedback from these 450. Every month we're averaging another 10 companies joining the group. They want to be a part of the evolution of the standards and get in the action to craft it to make sure we're getting the latest and greatest on what's happening out there in the industry.
We trained more than 1500 assessors in 2007 worldwide, we have 150 QSAs and about the same number of approved scanning companies. The first year my mouth wrote a lot of checks, and now this year we have to cash them. We're doing a good job; in the first quarter of 2008, we updated pin entry device standard, and last week we updated the payment application data security standard PA-DSS, which is VISA's old payment application data security standard. We answered over 2000 questions last year on our website, and now have a searchable database on our site where people who have questions can type them in and the most suitable answers from those 2000 questions now come up, so this helps people find the right answers to their questions.
Q: Who needs the most help on PCI and what is the council doing to help them?
Russo: We put out a new "frequently asked questions" document on our site. This helps those level 4 organizations who don't usually have a dedicated resource to perform PCI compliance and won't have the answers to the questions we ask on the compliance questionnaire. They know how to make pizza; they don't know how to answer security questions. They don't know any of that stuff, so we crafted this FAQ for the different kinds of merchants out there that need answers. We've received tremendous feedback on the FAQ so far. We're making the transition now. First we went to the level one merchants where the risk was greatest. These level one merchants are all pretty much on board at this point, if they're not already compliant with PCI requirements; they're well on their way. Now we're concentrating on the level 4 merchants, who number about six million, and they're all looking for solutions for PCI compliance. A lot of them don't know specifically what PCI is, but I daresay if you look in any mainstream newspaper or trade magazine and they're talking about credit cards, the acronym PCI comes up. I hate to say things like TJX helped PCI awareness, (I don't want to see anymore of these breaches).
I personally can show how the TJX breach raised awareness among consumers about credit card security. My wife is a world-class shopper. In any of the stores that have been breached in the last two years you will probably see her photo on the wall as 'shopper of the month.' At Christmas time, I met to pick her up at a local mall, at one of the big stores that has experienced a breach. As I got there, she was just coming up to the cashier. My wife pulls out her credit card and hands it to the 17-year-old cashier and as she does she asks the cashier "is my credit card going to be safe here?" The cashier looks at her like she has two heads and says "Lady, I'm going to take your card and swipe it through the card reader and hand it right back to you, how can it not be safe?". My wife says "Okay, I just wanted to be sure." Now my wife didn't know what could possibly happen inside the machine or inside the back office, but from everything she has been reading she had the wherewithal to ask "Is my credit card going to be safe here?" The public is getting smarter. They're getting it. Though they still don't know the difference between credit card fraud and identity theft, which is a good thing for us. Because if they think their identity is being stolen at one of these places they're shopping, they're going to be up in arms thinking that someone can go buy a house with their stolen identity. They'll eventually punish that merchant by walking out and going to a different merchant.
Companies need to be cognizant of this and realize consumers are getting smarter and they're looking at this and eventually will ask merchants "are you PCI-compliant?" Merchants have asked us for some kind of an icon they can put on their cash registers to denote they are PCI-compliant. That's not what we're about. The default is they need to be compliant. Consumers need to go everywhere and feel safe about using their credit cards and think that the merchant is going to protect their information. Ultimately that is what it will come down to, at the smallest merchant, the mom and pop type restaurant, who doesn't know anything about credit cards. They bought a PC to order their food and other needed items for their business, and they can also run credit cards through it. They don't know if the credit card software is storing data it should be storing. If they get breached they find out the hard way and it is conceivable for a small mom and pop operation that they could go out of business because of it. Forget about the fines and costs related to the data breach itself, it's the reputational loss that can put a small company out of business. If the town finds out that its hometown pizzeria had credit cards stolen from its company, it's akin to putting a sign in the window saying, "If you ate here two weeks ago, our chef has hepatitis." A credit card breach is a catastrophic event for a small retailer. The retailer, like my wife, has to at least ask the question, "Will the PC software a vendor is selling me protect my company from a data breach?" They maybe don't have to know how it works or the whys and wherefores, but they at least have to ask the question.
Nowadays security has to be part of the business plan, because without it a business can go away. It is a serious issue that unfortunately not enough businesses are taking seriously. It is an education issue that the council has taken on in its first year to make sure that businesses realize the importance of security.
Q: The 12 requirements of PCI-DSS sometimes look quite daunting, (especially to a level 3 or 4 retailer,) will there be add ons to the 12 in the future?
Russo: There will be additions and clarifications to the standards. The standards will reflect the changing landscape out there. I'd like to say that I know the direction that they will take with the next exploits that may be coming down the road, but there are probably exploits we haven't thought of that will show up and we'll have to react to them. The standard will constantly be updated and clarified, but the 12 requirements probably won't be expanded. We're looking at releasing a new version of the standard later this year, based on the feedback we've received from all of our stakeholders, but nothing so far looks to expand it out to requirement 13, 14 or 15 at this point.
Q: The latest set of PCI clarifications cover PCI DSS requirement 11.3, which addresses penetration testing, and requirement 6.6, pen testing. Will this help retailers do a better job of testing their systems for installed malware?
Russo: The standard is pretty stringent. If you follow this standard to the letter, I'm confident no one would be able to install a sniffer on the inside of your system. The standard is pretty solid in that area right now. We're looking to see what is going to happen, if you properly implement it, it prevents hackers from installing sniffers and other malware on your systems, with the caveat that you test on a regular basis, because it is an arms race. The issue is if you get your piece of paper saying you're compliant and you stick it in a drawer only to look at it a year later, you're going to fall out of compliance for sure. These are security practices you have to practice every day, not just when the assessor is in. If you only turn on your security when the assessor is in doing their assessment and then turn it off after they've left, it will eventually catch up with you and bite you. Maybe some of the ones we've been reading about that have had breaches have been bitten in this way, we'll have to wait and see.
Q: Ultimately, why should financial institutions be concerned with PCI compliance?
Russo: It's the right thing to do. PCI is a series of best practices that they should be doing anyway as part of their security practice. If they have to worry about security for anything, not just credit card information, they should be doing this already. Why does it take a catastrophic event to snap everyone into action? I know what the nature of the beast is. I'm the same way; I don't put in smoke detectors in my house until I've had a fire. But financial institutions can't think this way; they have to be on top of it, and doing it. Why? Because it's the right thing to do for their customers. They're giving them their business and their loyalty -- the institutions should do this much.