Repeat after me: “Being compliant does not mean you’re secure. Being compliant doesn’t mean you’re secure.” Keep muttering that to yourself while you read the rest of this post. If you have a bluetooth headset, people might not even think you’re crazy.
If you haven’t already heard, over the weekend Network Solutions announced that they’d been compromised and over half a million credit card records had been stolen. All we know about the attack so far is that it used ‘unauthorized code’ which could mean anything from a wholesale compromise by an outside attacker to a malicious insider placing the code for his own profit. In other words, they’ve really told us almost nothing about what happened and it’s quite likely that’s about all we’ll find out. The code transferred the the information to servers outside the company and while there’s no evidence yet that the stolen credit cards have been used for fraud, there’s also no evidence that they haven’t.
So why are we spending so much time on PCI if it doesn’t make our merchant and service providers secure? Network Solutions had been validated as PCI compliant by Payment Software Company (PSC) last October, so they were secure weren’t they? Once a merchant or service provider is compliant, that’s it, isn’t it?
The Payment Card Industry Data Security Standards are not a magic potion that will make a company secure. The requirements are mostly good practices and the annual review that merchants and service providers go through is not exhaustive and do not touch on every server in a company’s PCI environment. The PCI DSS is a minimum baseline companies should be complying with in order to take credit card numbers. Each network and each business is too different for any standard to cover in a horizontal market that includes everything from your corner Mom’n'Pop store to the likes of Amazon, Best Buy and Walmart. What PCI does, and does well, is raise the baseline of security for the entire market and hopefully makes it a little harder for the bad guys. But raising the bar for everyone may not raise it high enough to actually secure any one company and it’s up to the security professionals who work at those companies to realize that PCI isn’t a stopping point, it’s just one milestone along the way to securing the systems at their companies.
Network Solutions had been validated by a QSA, nearly a year ago. If you’re ever curious, Visa keeps a list of the validated service providers on their site. Pay very close attention to a short clause they have on every page of the document:
(1) PCI DSS assessments represent only a “snapshot” of security in place at the time of the review, and do not guarantee that those security
controls remain in place after the review is complete. These reviews did not cover proprietary software solutions that may be used or sold by
these service providers.
Yes, Network Solutions was listed as having been validated last Halloween. Take a moment and think back to how your own network was configured and maintained last Halloween; have there been any changes to your network since then? Has anyone made any configuration mistakes on your systems in the last 10 months? Have there been any 0-day vulnerabilities that affect your servers since then? If you can answer ‘no’ to all of those questions, you’re either the best systems administrator I’ve never met or you’re lying to yourself. I’d lean towards the latter.
The PCI requirements don’t require a QSA to check every server on the network or even in a company’s PCI environment. They require the QSA to check a sample of systems for all of the PCI requirements. My own experience has been that you can tell pretty quickly if a merchant or service provider is following their own configuratioin and hardening standards or not. If they are, you might be able to reduce the sample size some and if they’re not, you might have to increase the sample size you’re assessing. In all except the very smallest merchants, there’s is no way even the most competent QSA can assess more than a sample of systems involved in the PCI process. It’d be great if we could review each and every system involved with cardholder data, but that’s why companies retain security personnel. The job of the QSA is not to verify every system, it’s to assess the security of a company as best they can in the few days they have on-site. It’s the job of the security and system professionals who work at a company day after day the rest of the year to ensure that the baseline of security PCI requires is kept current and that even the systems the QSA didn’t check are secure.
Like my friend Anton, I wish people would stop taking every breach of a PCI compliant company as proof that PCI has failed. We don’t scream that Microsoft is a failure every time a Windows server is compromised or state that the OWASP top 10 is worthless if a company follows the guidelines but still turns out insecure software. We acknowledge that the system has weaknesses, that people don’t follow guidelines as well as we might like and we move on. Just because one part of an overall system is flawed, we don’t declare the whole thing a failure. Instead, we work on improving the system and making it better so that the same problem doesn’t happen again. Or at least we try to. So why does anyone expect the PCI system to be perfect?