PCI Compliance Under Scrutiny Following Big Data Breaches

In the wake of numerous high-profile data breaches, some security experts question the effectiveness of PCI compliance.

As details filter out about the Home Depot hack (and many, many more data breaches), you can't help but ask: How did this happen -- especially when the company was supposed to adhere to specific safety regulations or else lose its capability to process credit card transactions?

According to The New York Times, Home Depot's flawed security system allowed customer information to be stolen for months, unnoticed. These flaws include using outdated Symantec antivirus software from 2007, not continuously monitoring the network for suspicious behavior, and performing vulnerability scans irregularly and at only a small number of stores.

This shouldn't have happened happen. Home Depot, like any merchant that accepts credit cards, must comply with security standards set by the Payment Card Industry Security Standards Council. Formed in 2006, this group of credit card issuers sets minimum standards for companies that accept credit cards.

"The threat landscape is constantly evolving, and PCI SSC expects security standards to do the same," Stephen W. Orfei, GM of PCI SSC, said in a statement. "Recent attacks are concerning, but we are confident that, in partnership with our community of experts, we are keeping our standards and guidance sharply focused on securing payment card data globally."

PCI Sets 'Baseline' Security Standards

In theory, PCI is good for retailers. Security is expensive, but PCI sets a minimum standard that everyone must adhere to, discouraging competitors from cutting corners to maximize profits.

"PCI standards provide a strong baseline protection and should be part of any risk-based and layered approach to security," Orfei says, adding that version 3.0 of the PCI Data Security Standard addresses "how to make security 'business as usual,' what to consider when working with third parties and how to use layers of defense to protect against malware."

[ More: PCI DSS 3.0 an Evolution, Not a Revolution ]

That said, PCI standards aren't perfect against preventing fraud. Mike Lloyd, CTO of RedSeal Networks, a security risk management solutions firm, equates it to signs in bathrooms that tell employees they must wash their hands before returning to work.

"It's not the be all and end all of perfect medical care. Those signs aren't perfect hygiene, but it's setting a basic bar, and if everybody follows that, we're all better off," he says. In the same way, PCI standards set that minimum bar: "They require your competitors to come up to the same base level."

If your competitors follow those minimums, that is. Based on information Vinny Troia has seen about the Home Depot hack, he doesn't think the retailer should have passed its assessment, as the company allegedly wasn't checking its logs daily.

"Any time that data was being collected and siphoned off and sent somewhere else, that would have been captured in the security logs," says Troia, CEO of Night Lion Security, an information security consulting firm. "If you have the equivalent of a leaky faucet, and you're looking at it every day, you're going to notice it. Maybe you look at it once a week. If things get really bad, maybe once a month. But Home Depot dragged it on for five months before they figured it out."

PCI, Auditor and Client Goals Rarely Align

PCI reporting requirements change depending on the size of your business. Smaller companies self-report. Larger companies such as Home Depot must use a third-party entity called a qualified security assessor (QSA) to perform what's essentially a security audit to make sure they comply.

[ Analyses: PCI Compliance a Challenge for Most Companies and After Breaches, Does PCI Compliance Mean Anything? ]

The goals of PCI, retailers and QSAs don't often align, Lloyd points out.

  • PCI is meant to protect card issuers and make sure that consumers feel safe enough to keep using credit and debit cards, therefore ensuring card issuers make a profit. That's why they set these standards.
  • Retailers want to make as much profit as possible profit by keeping costs as low as possible. Security is expensive, especially for big retail chains, and it's a tempting spot to start cutting corners.
  • QSAs, a group that includes big names such as PricewaterhouseCoopers and AT&T Consulting Solutions, also look to make a profit. They do that by performing as many security audits as possible -- and retailers pay for those audits.

Fixing PCI: Automation, Fewer Cozy Relationships, Penalties?

Lloyd points to the relationship between a retailer and QSA as one potential weak point in the system. "Not all QSAs are the same," he says. "They have to compete with each other, too."

It's not uncommon for retailers to shop around for QSAs, he adds. Requiring retailers to hire a different QSA at least once every other year would prevent the relationship from being too cozy.

Orfei says PCI doesn't control or enforce the merchant/QSA relationship, which it sees as similar to any other client/auditor relationship. "Just like other auditors, QSAs have a responsibility to provide an independent third party assessment," he says.

[ How-to: 5 Ways to Improve Your PCI Compliance Program ]

Lloyd also recommends automation. "We're all engaged within this industry and trying to figure out how much of this we can automate, because that's where the profit is," he says. "Take PCI standards and turn them into something a machine can do and try to grab as much automation as we can."

Automation would lower the cost of meeting PCI standards. That, in turn, would increase the odds that companies would follow those standards without cutting corners. Automating the work of the QSAs means that there's less room for human error, too.

Another tactic: Penalize companies that don't comply. "In the case of all these breaches, it hasn't been done once. Transactions are never suspended," Troia says. "My personal opinion is it's the only way someone is really going to get the message."

Orfei says PCI doesn't play a role in managing compliance with its own standards. "PCI SSC is focused on payment security thought leadership including developing technical standards. Incentives or enforcement to comply with PCI Standards is the function of card brands and bank partners."

Join the CSO newsletter!

Error: Please check your email address.

Tags The New York Timessymantecsecuritydata breachHome Depot

More about Home DepotLionPricewaterhouseCoopersSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jen A. Miller

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts