This news is polarizing the security
blogosphere. The popular “buzz” over the announcement is that this is
supposedly a wake-up call for the industry, especially if Merrick
ultimately proves that Savvis was indeed negligent. The mounting
anxiety over this is creating a scenario whereby all those who have
complained about the pitfalls and complexities and costs of compliance,
in a figurative sense, are now lining up with a big stick in hand ready
to flail away at the PCI compliance piñata. They are ready to vent
their collective pent-up frustrations by disparaging and dismissing the
PCI compliance process, and especially the QSAs who perform these
assessments. (Note they are now called assessments by the PCI SSC, not audits).
They do so hoping the figurative “spoils” that might spill from the
busted PCI piñata will include relaxed compliance requirements and
reduced fines and penalties for non-compliance.
The PCI SSC
has gone to great lengths to write a unified security standard to help
protect the cardholder information (CHI) for the founding member card
brand customers. It has developed a fairly rigorous training and
certification program for those who perform PCI DSS compliance
assessments. Only certified companies with certified Qualified Security
Assessor (QSA) personnel can perform such work. In addition, there are
Quality Assurance steps in place to help identify and restrict those
QSAs that do not, or cannot perform to minimum levels of professional
competency. There are also stipulations that companies who perform this
work must not only recommend their own products for solutions. That
having been said, no standard is perfect, nor are companies or people.
There can be instances where mistakes are made. It is also quite
possible that there are some bad apples involved in this business who
have somehow circumvented the checks and balances designed to establish
and maintain a minimum level of professional competency. But this is
why the Council has its QA process.
The PCI DSS at a
rudimentary level can be compared to Information Security 101, but it
goes much deeper than that. Much like the more mature audit frameworks
in the financial sector, the goal of PCI is to protect sensitive
private information – and in doing so install a level of transparency
into enterprise information security, reduce fraud, reduce risk, and
increase confidence. PCI isn’t perfect, and its biggest weakness is
its reliance on the integrity of the business being assessed. It is,
however, the strongest driver for information security in the business
world we’ve seen to date. Thus far PCI and its predecessors have
identified and helped mitigate a staggering amount of risk to CHI due
to insecure systems and business processes.
While there has
been an impressive improvement in the overall protections afforded by
all of these Infosec standards both individually in a collectively, there is still no guarantee that systems assessed for compliance are completely secured against compromise or misuse.
There are no guarantees with this, just as there are no guarantees in
business. A significant component of managing businesses and
organizations involves managing all risk to corporate assets. And even if all reasonable and cost effective protections are in place, stuff can still happen.
In addition it is important to understand that all IT environments,
including those that process credit card payments are highly dynamic
environments. An audit or an assessment of such an environment takes
place over a finite time period. It represents a “snapshot” in time at
the time of the assessment. The assessor attests to the overall
compliance of a given environment during that time period, and then
provides a reference date for making that assertion. If a compliant
business or organization induces any change to that environment after
the fact, there are no guarantees that the environment is still
What does this all mean when it comes to the
Merrick Bank lawsuit against Savvis? Merrick has a large burden of
proof ahead. They have to prove that (a) Savvis was negligent and that
the alleged noncompliance was there at the time of the CISP audit,
meaning their Report On Compliance (ROC) was false, (b) the breach
would not have occurred had they been compliant, and (c) this is their
biggest hurdle: they have to prove that Savvis is somehow liable for
Merrick’s damages even though Savvis had no business relationship with
Merrick Bank (Savvis was hired by CardSystems, not Merrick). Whichever
way the lawsuit goes (with today’s legal system I’d rather go to Vegas
than call that one), the real lesson here is to be damn sure all
requirements are met before professionally attesting to security
related organizational compliance.
There is one key to
understanding PCI compliance (or any compliance program for that
matter) – there is no ‘silver bullet’ solution. There are vendors that
will try to sell you solutions that will guarantee 100% hackproof
security with full compliance, however the truth is that such a thing
doesn’t exist. It’s a panacea to think otherwise. Security is all
about risk management, and the bad guys tend to be pretty skilled and
resourceful. Not only that, they only have to be “right” just one time.
As a merchant or service provider pursuing PCI compliance, the goal
shouldn’t be to achieve it and then put a “safe from hackers!” sticker
on your website. Doing so or anything like it will only increases
possible risk. The end goal is to determine your business’ risk tolerance, and bring your risk tolerance profile to acceptable levels.
Similar decisions are made when determining “should I become compliant
with PCI or just pay the costs of noncompliance?” Same risk management
model as the one you use every day deciding whether to speed on the
freeway, except PCI compliance actually makes sense.
Look for our new IBM ISS white paper on the ROI from PCI Compliance, coming to this blog soon.