Panellists speaking at the second SC Congress London earlier today were split on PCI compliance, which has become a hot topic of late not least considering the impact of Target's data breach late last year.
A panel compromising Dave Whitelegg, senior information security and PCI consultant at Capita, James Mckinlay, head of information security for UK&I at Wordline, and ISSA UK president Tim Holman talked through the changes in PCI compliance regulations over the years, from version 1.1 of PCI DSS through to 2.0 and now 3.0, and considered how businesses are tackling compliance and auditing.
Mckinlay was largely upbeat on the changes, saying that business awareness had grown substantially over the last eight years, a time when some companies would not be pushing PCI or even IS27001 compliance.
He applauded recent changes to PCI DSS 3.0, including incident response, monitoring and network segmentation, and said that the standard essentially acted as a ‘secure baseline' for protecting debit and credit card details.
But Whitelegg was keen to point to the Target data breach as evidence that compliance alone isn't sufficient.
Target met PCI compliance in September 2012 but the panellists noted a “few alarm bells” such as the lack of network segmentation between the card data and the rest of the corporate network, little incident response and no two-factor authentication for remote access.
With this likely have resulted in a drop-off in compliance over the course of the year, the panellists agreed that PCI must be a “continuous state of operation.” “It has to be hit all the time,” said Whitelegg.
Not that the companies – or associated third-parties as was the case in the Target breach - are entirely to blame, the panel admitted. One member of the audience quizzed Holman on whether qualified security assessors (QSAs) should be more evidence-based in their investigations, and the 2-sec CEO admitted that QSAs largely rely on trusting people to tell them the truth.
“Compliance relies on people telling the truth,” said Holman, a QSA himself. “But evidence-based audits take a hell of a lot longer for bigger vendors, and if you're not in a position to do that [companies] will go for a cheaper QSA.”
What should companies be doing to get ahead with PCI compliance? The panellists said that they must put together incident response plans, ensure data is being encrypted and treat PCI compliance as a “continuous exercise”. Mckinlay added that there would a ‘lot less problems' if security was driven top-down from the board.