This week my attention has been dominated by one word, well six officially, but often narrowed down to six or even three letters – PCI.
To give it its full title it is the ‘Payment Card Industry Data Security Standard', and in my meetings this week at Gartner and other panel debates, the subject arose on several occasions. Now I will be the first to acknowledge that I do not know the ins and outs of PCI (as we will now call it), but thanks to the PCI DSS user group (see link) I do know that it is a set of complex regulations that all businesses taking credit card payments must adhere to.
The first debate over PCI is generally in regard to how much of a point the standard has, and how much it is enforced. An article published back in June gave the opinion that the PCI Council had ‘failed to adequately address consumer risk by not mandating end-to-end encryption as part of its requirement, allowing the use of compensating controls in lieu of encryption in order to spare those under PCI requirements from the expense of properly securing the data they were entrusted to protect'.
Paul Henry, security and forensic analyst at Lumension, who gave the opinion, claimed that the amount of data breaches witnessed had become all too commonplace, and that the bar should be raised to increase the minimum acceptable standards to become compliant in light of these many failures.
Coincidentally, Lumension announced the launch of its Compliance and IT Risk Management tool earlier this week, perhaps to encourage others into their stricter way of thinking.
Another company to make a significant PCI-related launch was Qualys. I met chief marketing officer Amer Deeba earlier this week to discuss the launch of the new QualysGuard platform.
Deeba claimed that Qualys was seeing more focus on PCI in the UK as more customers became interested, yet he claimed that ‘a couple of years ago this was not the case'.
He also commented that with the PCI Council meeting soon, current challenges, such as virtualisation and pre-authorisation, will need to be clarified and addressed.
Deeba said: “We think PCI is great but needs regulations, but as a regulation it is the best possible for security. It is the common sense of security and companies should do it if they are not already.”
Another company to discuss PCI was Imperva. Its CTO is Amichai Shulman, and he was passionate about both the compliance to it and its enforcement.
Shulman said: “PCI enforcement is very interesting. You are compliant or pay more commission, or the regulators will sue if it doesn't come out. It is not perfect but it does work, as an organisation it makes risk management sensible.”
Imperva's own research found that 71 per cent of companies are not taking security seriously. Shulman claimed that he saw three times the amount of organisations who had a bad attitude towards security to begin with, and did not bother to go through the process, while some went through the compliance process to do the bare minimum to be compliant.
He further claimed that the regulatory enforcement should be balanced against the size of a company, and not be a ‘one size fits all' situation. Shulman said: “Smaller companies should have smaller regulations, not be half compliant but have different layers to affect different deadlines. The remaining fact is that potential change is smaller, so there should be fewer requirements.
“The Heartland CEO said the assessors did not know what they were doing and there are variants and it is understandable as long as you have direct and simple criteria, then the bare minimum is done. Use a firewall, anti-virus, small businesses do this, the council need to sit up and make more clear guidelines.”
He also claimed that there should be a certificate or logo, which regulated companies can display to show that they are controlled and have passed the evaluation. This, Shulman claimed, would raise awareness in the public too.
Shulman said: “This is an issue for the council to take care of, having a certificate saying that you are compliant would help the public make a decision and will show that you care about the safety of your data. Also as a business you will have the incentive to be compliant.”
However Jan Fry, head of PCI at Pro Check Up Labs, had some differing views. He claimed that a company displaying a PCI logo would allow an attacker to ‘determine that a company is probably processing enough credit cards to make an attack worthwhile'.
Fry said: “The attacker will also be able to make assumptions about what is likely not to be in place (network encryption) and has been used successfully before in PCI attacks (still not fixed), and fine tune his attack to take advantage of this - possibly SQL command injection to install listening malware to capture card details.”
He also questioned what benefits it would bring, as it could be replicated by a fraudulent website, and asked: “Is PCI compliance really something to be proud of? What exactly were organisations doing with credit card data before PCI came along?
"The standard in many areas provides a very basic level of security and is not without its flaws. So achieving compliance is not some holy grail of security. Not even close.”
The opinion from Shulman, which was backed up by Shavlik Technologies, seems to not be universally agreed upon, and it is fair to understand Fry's point about it being used indiscriminately, something that was raised by comments left on the story.
The fact is PCI does exist, and one thing that seems to be generally agreed on is that it is better to have some sort of regulation than none at all. Shulman claimed that it is ‘not perfect, but in comparison to other regulations PCI is a good model but it is never flawless'.
While Fry said: “The standard is not perfect but this is what we are stuck with for now, so let's work to improve it constructively!”
The PCI Council has been given instruction on how to act, and it will be interesting to see how it responds at upcoming world and European meetings.