Thursday, October 01, 2009

Credit-card security standards questioned, survey says – I DO NOT Agree

Click Here for Lionel Wilson Blog Post

I should first state that I have not seen this Ponemon survey that was mentioned by the author of the above-referenced blog post.  I have requested to see it.PCI

Most IT security professionals who must comply with the industry standards to protect credit card data think those standards have no impact at all on actual security, according to new study by Ponemon Institute.

As an Infrastructure and Security Professional, I do not agree with this statement and would welcome the opportunity to review the source survey.  PCI DSS has had a huge positive impact (albeit SOX-like painful) and has significantly raised the bar (which was the intent) in protecting Credit Card Privacy information.

10 of the Worst Moments in Network Security History And they say the main benefit of meeting the standards isn't better security, its better relationships with business partners who regard payment card industry (PCI) compliance as an easy-to-read sign that businesses are paying attention to protecting the personal data of people who use credit cards, the study says.

While there clearly have been a number of well documented “PCI-related” data breaches showing up in the news, I see the point that the author is making about Business relationships.  Firstly, if you look carefully at the details of some of these breaches, like TJX for example:

WSJ Article on TJX Breach 


Read the WSJ Article (linked above) on the TJX breach.  This was a failure of BASIC NETWORK SECURITY Best Practices, notwithstanding PCI guidelines.  You may find that many, if not all of the infamous breaches, were a result of less than vigorous compliance.

Secondly, as far as the blogger’s view of the “main benefit” of PCI, notwithstanding the blogger’s sarcasm about Merchant relationships, but a lot of it has to do with liability.  The Credit Card companies, The Banks, The Credit Card Processors and ultimately the Merchants, all get named in Lawsuits when customer data is exploited.  As a result, PCI is an industry self-governing attempt to curb the liability.  That generally translates into greater security controls and governance.

Keep in the forefront that this “survey” was conducted for a Security Software developer, not an industry watchdog group.  I offer no disrespect to Imperva.  While I HAVE NOT SEEN the survey, I have to question these statements until more details can be made available.

"PCI does not necessarily mean better security within the hearts and minds of respondents," says Larry Ponemon who conducted "PCI DSS Compliance Survey" for Imperva, which makes database and Web application security products.

This next section is particularly perplexing as even lay observers can surmise that PCI controls (if implemented vigorously) provide greater levels of security.  Much of PCI is plain common sense and Best Practices. credit cards

The benefit of PCI compliance cited most often by the IT security pros polled was that it improves relationships with business partners, not that it made data more secure.

There is certainly nothing wrong with questioning the effectiveness of any industry governance code.  My concern here is that the concerns raised by the blogger / author do not “appear” to be based on common sense or yet to be seen facts.  Common sense alone (although, common sense apparently is not always common) should indicate that any set of guidelines, PCI or otherwise, would increase effectiveness, let alone the PCI DSS standard which has sustained continued scrutiny from insiders, outsiders and litigators.  It is almost preposterous to state that the implementation, compliance and adherence to PCI DSS “standards have no impact at all on actual security”

Let the people decide.

Ne feceris ut rideam

(Don't make me laugh)



1 comment:

ASB said...

The point is that proper Information Security is a superset of compliance. Attaining PCI (or HIPAA or SOX) compliance does *not* mean that your environment is secure, even if it is better than it was before you engaged in the compliance initiative.

Sometimes, organizations are more willing to be complaint than they are to be secure, and this does them no good in the end.

See: The Compliance Trap