Posted by: Arian Eigen Heald
Compliance, Identity theft, IT audit, PCI DSS, Security
I’m going to assume that you have some baseline knowledge about the DSS, the 12 areas of coverage, different Tier Levels and other requirements for compliance. If not, visit here and bone up.
There is a lot of pro and con going on in the blogosphere right now about the “value” of PCI.
And the circle of blame amongst merchants blaming VISA blaming the banks blaming the merchants is certainly ongoing.
Now we have card processing hardware being easily hacked, it’s all just getting more interesting.
First, I’d like to say I trained at VISA and passed the QDSP exam. Second, I’ve performed three Tier 1 merchant audits. Third, I happen to like the DSS. It has specifics, as opposed to other “standards” that operate at the 10,000 foot level. In other words, one of the requirements is to have a firewall, have rules for the firewall documented, and access to the firewall logged. Nice. Easy to do, easy to test. All the technical standards are based on best practices, and they focus on the credit card data.
The enforcement and compliance requirements, on the other hand have no clothes. (See the Emperor? Doesn’t he look great?) Let’s make it a little more solid:
1.) All Tier 1 merchants should have their compliance audited and signed off on by an outside firm, just like the service providers. Letting merchants sign off on their own security makes me visualize foxes and henhouses.
2.) Outside firms should not be permitted to do any remediation work. Again, foxes and henhouses. It ought to be just like a SOX audit, where the attesting auditor cannot “fix” any problems found.
During my VISA class, I listened to my security vendor classmates press the instructors about “minimum requirements.” They were rather obviously looking for ways to get their clients off the compliance hook. The instructors weren’t pleased.
3.) Outside firms should be penalized if their auditee merchant is breached. It will certainly make them more vigilant when their pocketbooks are involved.
4.) In the race to the bottom, many merchants pick the lowest outside firm bid for assessing compliance. If running a scan and doing a canned report is an assessment, I should go back to PC service and support. Both the merchant AND the outside firm should be ashamed of themselves. And the acquiring bank should be slapped for accepting it.
5.) In the standard, you are either compliant or you’re not. TJ Maxx was not compliant. They had a “plan” to upgrade their wireless in the next year or so. Why was that acceptable to VISA and the bank?? Were there any compensating controls? Obviously not, since there was no firewall between the stores and corporate.
6.) Publish the names of the Tier 1 and 2 merchants who are not compliant. (I can hear the screams now.) But implement the previous rules first.
P.S. Compliance Does Not Equal Security. But, as my Maine Yankee father-in-law would say, “It sure beats snowballs.”