As of Aug. 10, the Identity Theft Resource Center had reported 333 data breaches in 2009, exposing over 13 million records in the process. Given that context, it’s no wonder that information security professionals and compliance officers are receiving increased pressure and scrutiny from their executive teams about whether IT systems are truly secure.
As several recent essays on PCI compliance and security suggest, however, no one should be looking to standards or compliance audits alone to certify that an organization is protected against a data breach.
CSO senior editor (and former TechTarget-er) Bill Brenner’s interview with Heartland CEO Robert Carr drove home precisely this issue. In the interview, Carr asserts that “the audits done by our QSAs (Qualified Security Assessors) were of no value whatsoever.” The assessment of the CEO and industry is reflected in Eric Ogren’s column from earlier this year, “Heartland breach highlights PCI limitations.”
Rich Mogull, founder of Securois, posted an “Open Letter to Robert Carr, CEO of Heartland Payment Systems“on his blog that questions the blame Carr places on external auditors. As Mogull points out, “PCI compliance means you are compliant at a point in time, not secure for an indefinite future … standards like PCI merely represent a baseline of controls.” He recommends that executives “treat their PCI assessment as merely another compliance initiative — one that does not, in any way, ensure their security. As an industry professional I see all too many organizations do the minimum for PCI compliance.”
Mogull’s critique was followed by a more incensed response from security expert Mike Rothman, SVP of strategy, eIQnetworks and chief blogger at Security Incite. Rothman observed that “you cannot outsource security. An auditor or assessor is only there to substantiate the technical controls implemented to meet a regulation … any regulation is on the beginning of a comprehensive security program, and PCI is no exception.”
All of this was preceded by a much-discussed essay by security consultant Nick Selby at Fudsec.com, “Showing the Oblomovs the door.” Selby posits that the PCI Data Security Standard (PCI DSS) is a “Pyrrhic victory,” suggesting that “well-intentioned businesspeople at PCI, seeing their money walk out the door at an exponentially increasing rate, thought they’d, ’Raise the bar’ by setting forth some highly specific tasks. Unfortunately they were specific to a paradigm gone by, and those who don’t comply get their credit card privileges popped. Thus have they managed not only to not raise the bar but in fact to substantially lower the ceiling — PCI is not the minimum standard, it’s the maximum effort that many organizations make.”
His “anti-compliance” rant earned substantive contributions in the comments on the post by security analysts and professionals, including Verizon’s Alex Hutton, on whether PCI DSS holds any value.
Are there any conclusions to draw from the discussion, timely as it may be given our recent publication of a PCI DSS FAQ?
Here’s a shot:
1. PCI compliance should be a baseline for security, not a ceiling.
2. PCI compliance does not equate to being secure.
3. PCI compliance does provide a checkpoint for auditors and an organization at a given point in time.
4. That checkpoint does not substitute for a holistic approach to risk management and security.
If you have more to add to the discussion, please comment, @reply to @ITcompliance on Twitter or send your thoughts to firstname.lastname@example.org.