Sep 23 2009

Implement PCI strategically

Published by at 7:05 am under PCI

A new survey has been released by Imperva and the Ponemon Institute concerning the effectiveness of PCI; despite the best intent and efforts of many security professionals, this survey points out that PCI is only having a limited effect in stopping digital thieves from stealing credit card information.  One of the most telling statistics from the survey is that the majority of companies, 71%, treat PCI as a tactical maneuver rather than strategic initiative.  In other words, too many companies treat PCI as a check list of requirements rather than using it as an overarching plan.  And in the end, the check list approach is always going to be less secure and leave more vulnerabilities than viewing PCI as something to be incorporated into long term thinking on security.

It’s not that PCI is ineffective in and of itself; there’s few who can still argue that the PCI requirements aren’t basic security measures that should be implemented by almost every business.  You can argue that PCI doesn’t go far enough or that there’s too much left open to interpretation, but the majority of the PCI requirements are logical and make sense to implement.  The Ponemon survey does point out one of the major flaws of the system is that merchants are only looking at credit card numbers, leaving large amounts of other information such as Social Security numbers and bank account details.  And as much as I wish PCI could address this data as well, it’s going to remain outside of the purview of the credit card industry for the foreseeable future.  

What’s ineffective is how we use PCI to secure our enterprises.  Only 27% of all companies are using PCI as a lever to raise awareness of security in their enterprises.  And by ‘raise awareness’ I mean ‘get the money to implement needed security measures’.  Security is always a fight for the budget needed to implement, in large part because preventative measures are a hard sell when you can’t point to direct consequences or benefits.  I’ve always argued that the greatest benefit of PCI is to be had by using it to garner support for security initiatives and gain the resources needed to implement security measures.  However, it requires thinking about security strategically, which can be very hard if you view PCI as just another set of requirements that are getting in the way of doing your job.

And that is the crux of an effective implementation of PCI versus an ineffective one; if you view PCI as a part of your security program and something that can be used to implement security, then the chances of it positively impacting your enterprise are pretty good.  But if you view PCI as just another annoyance that’s distracting you from your real security job, the chances are it will have little or no positive influence on your security posture.  Like so many things in life, the effectiveness of PCI is going to be based on how you look at it and how you choose to incorporate it into your strategies.  Funny how that works, isn’t it?

If you haven’t read it yet, you owe it to yourself to download and read the 2009 Data Breach Investigation Report from Verizon Business.  It backs up much of what the Ponemon Institute has discovered and should be required reading for every serious security professional.  You can also listen to my interview with one of the authors, Wade Baker, from this year’s RSA Conference.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

4 responses so far

4 Responses to “Implement PCI strategically”

  1. karl elachion 27 Sep 2009 at 5:43 pm

    A very interesting finding in Verizon report, worth further investigations;

    “Results from 600 incidents over five years make a strong
    case against the long-abiding and deeply held belief
    that insiders are behind most breaches”

    Additional points on malware which now uses payload that is ‘covert’ in nature (spyware and trojan) rather than traditional payload which was more ‘overt’ in carrying disrubtive payload.

  2. Digital Security Consultantson 28 Sep 2009 at 5:50 am

    Is it me or is the stat of 27% of companies use PCI to raise awareness about security alarmingly low? No pun intended

  3. Sebastian K├╝beck pa pay pay pon 28 Sep 2009 at 7:58 am

    As also the previous Verizon report states, by far most records have been stolen from level 1 merchants and PSPs.
    On the other hand, more and more small merchants are outsourcing their credit card handling to PSPs.
    As a result, those PSPs themselves become a more and more lucrative target for criminals. And since some of those PSPs aren’t able to secure their environment, PCI compliance efforts could actually explain the drastic increase in stolen records.

    Or put it an other way: PCI compliance efforts could have caused an increased number of stolen records.

    So maybe it would be better to stop PCI compliance for level two merchants and below and start tightening the thumbscrews for level 1 PSPs?

  4. spinmanon 30 Sep 2009 at 4:59 am

    We all know and most of us agree that the PCI-DSS standards are nothing more than a security baseline, basically the minimum security controls to somewhat protect payment information in an organization.

    But if all organizations do is implement PCI as a security standard then I’m not surprised with the numbers in the Verizon report, because the “blue prints” on the security controls (PCI_DSS) implemented is readily available to everyone so all the hackers know exactly what is being implemented for security.

    So this is why I continue to say PCI is a great baseline but thats all it is, organizations must go beyond PCI to achieve Security. If organizations implement the best security controls available then Compliance will come as an outcome of security. If all they do is try and get a check box for compliance (PCI) then chances are security is implemented at a minimum and risks of breaches and other security incidents will be higher.

%d bloggers like this: