Posted by: David Schneier
PCI, Regulatory Compliance
Let me kick this off my clearly stating that I have never met Adrian Phillips, Visa International’s Deputy Chief Enterprise Risk Officer and Regional Head of Risk for North America. As a matter of fact I had never even heard this name until earlier this month. I know so little about Mr. Phillips that until this morning I even thought “he” was a “she” based on the name alone (with all due apologies to Mr. Zmed and Mr. Dantley).
But here I am barely one month later and I can’t seem to shake this guy. He’s being quoted all over my working world on websites, in print articles and even in the mainstream media. And his comments and quotes all sound eerily similar as if though they’re rehearsed.
I first crossed Mr. Phillips path in an online article in which he defended the PCI standard in the matter of the Heartland breach. He talked about how the PCI-DSS standard “didn’t fail,” and how it’s “been largely touted as one of the best tools to protect cardholder data and fight breaches.” He then offered this caveat, “The reality is that fighting payment fraud is complex and multidimensional; there’s simply no single solution to make fraud go away”.
I liked the rhetoric, to be honest. No standard is by itself the solution to the problem against which it’s aligned. I’ve worked with all of them from SOX, to HIPAA, GLBA and yes, even PCI. All of them have merit and none of them actually solve the problems they are designed to address. They are all a good place to start in terms of scoping out what to do but really in the end it’s the same thing as handing someone the blueprints to a house, offer no supplies, no tools and no real guidance and expecting them to actually build a house. So for Mr. Phillips this was a nice, but confident step forward.
Then further in the same article he suddenly and very subtly switched gears when he said “no compromised entity to date has been found to be in compliance with PCI DSS at the time of the breach. In all cases, forensic investigations have concluded that compliance deficiencies have been a major contributor to the breach.” Or in other words it wasn’t that the PCI standard failed, it’s just that it wasn’t implemented properly and thus the reason for the breach. Interesting point Mr. Phillips, though a step backwards and away from the real issues.
Upon examination of this assertion it sort of falls apart. Heartland was PCI-compliant and certified at the time the breach occurred. As we all know the business entity cannot certify itself and must rely upon the opinion of an independent and PCI-approved entity to do so. So Heartland can’t be held responsible if in fact there were issues that went unnoticed and/or undocumented. Why wasn’t that part of the rhetoric being offered? And who was the certifying firm for Heartland and what’s happening to them? Although I’m willing to bet that they did their job exactly as they’re supposed to they still certified a company that Visa has since determined was out of compliance. To me it came across as a bit of an avoidance strategy on Mr. Phillips and Visa’s part and so a step to the wrong side of the issue.
Then he wrapped up the article by pointing out “there’s no silver bullet when it comes to protecting consumer data” and that “as criminals get better at what they do, our efforts to stop them must keep pace.” Excellent points, both. And really, in the end, the true key to all of this. Every decent cybercriminal out there clings tight to the belief that when one door closes, another one opens and so they go and find it. The operative word for any manner of security is vigilance; without it you’re doomed. And for Mr. Phillips this was a step to the right side of the issue thus bring us back to where we first started.
Let’s recap the way this worked: step forward, step back, step to the wrong (left), step to the right. Put this to some techno-beat driven music and I think we may have a suitable replacement to the Cha-Cha Slide line dance.
Sadly what Mr. Phillips and Visa need to do is come straight out and say what everyone already knows, that the PCI-standard though applied correctly according to its own rules failed to detect and prevent this breach from occurring. It’s a poorly held secret that those in the field who conduct PCI work are the most aware of how flawed the standard is in terms of providing reasonable assurances that the appropriate controls are in place and functioning as expected. And despite that fact it’s still a viable framework, it just needs to be pushed further and deeper into the infrastructure and the sampling requirements need to expand to be more than just “representative.” Yeah, I know, this isn’t going to be cheap and it’s certainly not going to be easy but it’s either that or we keep waiting for the next breach (and the next and the next and, and, and….).
Honestly all we have at this point in the lifespan of the PCI standard is good idea, huge residual risk to our credit card data and a snappy little dance routine. I think we can do better, I hope we can do better.