Just before I took a break, Hannaford was reported to have been compromised, resulting in the exposure of sensitive user data. Doh. However, the interesting aspect of this story (let’s face it, there are many breaches of personal data) was the fact that Hannaford were confirmed as being PCI DSS certified. One can imagine the shockwave this sent through the media and industry a like … a PCI company being pw0n3d? Oh no!
OK. Perhaps there was no shockwave, but what I did observe was the usual “PCI is useless” rants from a number of industry experts, bloggers, and the happy drunks that frequent my local watering hole. It seems everyone and their dog took the opportunity to slate the PCI for continuing to promote a standard that offers no real security and that it’s actually having anegative impact.
I find it odd that a (large? Who knows, statistics are not strong in the security industry … we need a new disaffected_with_security_standard metric, surely …) number of security professionals position the PCI DSS as a waste of time and nothing more than a gimic to leech more money. If only it solved all of our problems, wouldn’t that be grand?
My opinion is slightly different. Yes, I agree that the PCI DSS is not a perfect standard. Yes, I do find some of the requirements (or absence of others) odd. And seeing repetitive and sometimes strangely conflictive (depending on interpretation) goals is a little confusing, nay frustrating. However, I do look upon it as a set of security requirements (12 in all) that companies must address in order to meet contractual (legal) obligations set by the Brotherhood of the PCI. The goal? To improve security, yes! But this is perhaps more likely a consequence than the primary goal - in reality the PCI have attempted to shed some of their liability. Of course, prior to PCI VISA and Mastercard had their own programmes. Amalgamating the two made sense for their customers. Prior to these standards becoming the PCI DSS, I can’t remember there being any significant hullabaloo.
So, the PCI get to offload some liability and the world must surely get secure systems? No. Do we deserve such security? Perhaps, but maybe the companies and the QSAs should take some responsibility, too? QSA capabilities are occasionally brought into question and the approach of the PCI group’s approach to vetting, approving, and revoking QSA status has been criticised. But the companies on the front end, those poor little lambs, seem to have been forgotten or forgiven. If the PCI DSS did not exist, who would be held responsible for security? I find blaming the PCI DSS on the security failings of an organisation laughable. Perhaps the QSA could be at fault (partly), but the complexities of meeting strategic and operational goals, and the whims of certain company members, can often lead to reprioritisation, refocusing, and reaping the related rewards. As certification is only measured on a periodic basis (and quite often focuses on controls, rather than the practical aspects), surely the PCI DSS is not the source of all evil in the universe?
Should the PCI DSS be improved to meet the various expert opinions? Maybe. But I don’t think the PCI can be accused of ignoring the industry (i.e. they are strong supporters of theOWASP, which is a good thing!). Should the quality of the QSAs be further tested or made more stringent? Maybe. I don’t have any data relating to any overall perception of quality relating to the QSAs - other than they are certified through a reasonable process and that once they are certified it must mean they are in some way competent, at least sufficiently to deliver the QSA service. Should companies operating under the PCI DSS manage their security above and beyond the requierments of the standard? Yes. This I can state with confidence: these companies have many legal responsibilities and waving around a standard and shouting “Compliant!” is not the end of the journey (although journey seems to be so last year … I think now finally supposed to be baked in. Good thing Bruce sold his company already!).
In summary, I think the PCI DSS is fine for what it is: a set of security standards that companies, which deliver card processing services, must adhere to. Let’s not be too harsh on them. It’s very easy to point the finger and say “I told you so”, but another thing is defining a standard to suit a large and diverse grouping of companies (their client base) and to ensure that the up-take of such an initiative is practical. Who knows, maybe by PCI DSS version 5 everyone may have moved on to criticising Google for making the Web 4.0 (Beta) insecure. Perhaps Microshhoo!buntu will be able to offer them some emotional support.
In other PCI related news, clarifications for some of the key points within the standard have been released:
- Information Supplement: Requirement 11.3 Penetration Testing
- Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified
The first provides a useful clarification for pentesting outfits and companies relating to “who” is authorised to perform a penetration test (under 11.3). The good news is that most peoples interpretation was correct: anyone! There are some guidelines that go with this.The second provides, again useful, clarification on how one might meet the objectives stated in 6.6. However, it should also increase the sale of WAFs 
Ah, WAFs … something else I could probably sit on the fence about :p But I wont indulge, yet. Besides, plenty of people have already commented on the good, bad, and ugly of such devices.
Tags: security management by Dave
No Comments »