In catching up on some reading from last month I noticed an interesting article about the FTC taking a hard look at the effectiveness of the PCI Data Security Standard (PCI-DSS) and assessor audit processes. Although I disagree with some of the assertions of the post, especially the statement that the PCI Data Security Standard is only a “core set of 12 basic requirements”, I do agree that the involvement and interest of the FTC in PCI assessment processes, methodologies, and practices is worth discussing.
So, why is the FTC involving itself? I believe the intent of this involvement could be two-fold: to push harder on assessor companies to move away from inadequate scoping and validation during PCI assessments, or the FTC has decided it should serve as a representative for the people involved in payment card breaches.
As for assessment practices, I believe the core areas where problems arise are scoping failures and re-use of a previous year’s assessment during the repeatable PCI assessment work cycle. Scoping failures include both challenges in defining the true scope of a cardholder data segment (an assessor can’t always identify areas an assessed entity hasn’t provided as in-scope as part of the store-process-transmit territory of cardholder data flow) and issues in scoping the level of effort for an assessment, where assessors may face time constraints to accomplish assessment activities as efficiently as possible to meet deadlines, for a project that was not fully understood due to lack of information on an assessed entities readiness to be evaluated. Which leads to the other problem area I mentioned, re-use of a previous years PCI assessment report as guidance, and sometimes even for content, when developing an assessment report. Taking shortcuts by using a previous year’s work has the potential to create missteps, and the possibility exists that controls that were once validated as in place can become broken in a calendar year for various reasons.
The current state of things, with regular updates to the PCI-DSS, has put a stronger focus on assessors responding in ways that are defendable, driving out any lingering notion that an interview response alone during an assessment is acceptable, except where attestation by the assessed is specifically permitted by the standard. An assessor needs to inspect controls by a collection of artifacts or direct observation for every single sub-requirement. However, keep in mind that assessing is not the same as scoping and there is flexibility in the scoping approach – the flexibility to take the assessed entities word that cardholder data is where they say it is. This is where the idea of “blame the assessor” falls flat when breaches occur and like I mentioned, an assessor will generally only validate in areas he or she knows or determines as in-scope when a client is limiting scope by segmenting and isolating the cardholder data environment, as most do.
Another interesting aspect of this topic involves consumer protection and risk acceptance by the payment brands (VISA/MC/AMEX). The PCI-DSS and the PCI Security Standards Council are closely integrated with the card brands/payment networks. I would be surprised if the card brands would state that the PCI-DSS is ineffective and if they did have that opinion, there would likely be major changes coming to the standard. I think payment brands have accepted a certain amount of risk and loss that breaches will occur but the acceptance of this risk is for themselves as businesses. It is, for this reason, I believe the FTC is likely involving themselves to represent the people/cardholders affected by payment card breaches since what a payment card brand might find acceptable as loss doesn’t necessarily fully consider the impact of breaches on cardholders. There will be a certain amount of breaches, there is a cost, the payment brands, and banking institutions re-issue cards, offer some identity theft monitoring services to those affected, and continue business as usual. The consumers are not fully represented, and it’s likely why the FTC is stepping in. Will the FTC mandate changes that impact PCI security standards? It’s hard to say since the PCI Security Standards Council is already proactive in maintaining the standards. Maybe the FTC will serve as a stakeholder in those processes.
As for a call to action, if you are an assessed entity that is bound to the PCI-DSS, there are a few things to consider:
- Know your environment, know where your cardholder data resides, and document your cardholder store-process-transmit segments thoroughly. It will help your assessor be effective and efficient, and reduce the likelihood that an assessment grows by way of a change order.
- Make it a requirement that your assessor or assessment firm does not use a previous year’s assessment report as an aspect of the assessment and for assessment report development. This will ensure that an assessor is as thorough as possible in reviewing compliance annually.
- Select different assessors to get a new perspective on your environment. I recommend requiring a change in assessment staff annually and selecting an alternate assessment firm every 3 years to get variance in assessment methodology.
You may have heard about the recent breach involving payment card data from cards used onsite at certain Hyatt-managed locations. According to Dark Reading, the “at-risk window” may have existed as early as July 30, 2015, with identified fraud being documented from August 13, 2015, to December 8, 2015. The malware responsible captured cardholder data while being transferred from the onsite processing location to the compromised system.
Post-breach, Chuck Floyd, global president of operations for Hyatt, said: “…we want to assure customers that we took steps to strengthen the security of our systems in order to help prevent this from happening in the future.” While we can’t know for sure that statement implies that operational security controls were enhanced as a result of the breach, the question is, beyond the routine PCI-DSS assessments, were operational controls proactively reviewed and strengthened?
Many organizations focus security efforts around passing an audit, which can detract from achieving an actual effective security program. One of the key takeaways resultant of the Hyatt breach is the importance of aligning security compliance with operational security.
Why Passing a PCI-DSS Audit May Not Be Enough
Compliance with standards and regulations like the PCI-DSS should serve as a baseline for security, but passing an audit does not guarantee effective operational security practices. PCI compliance assessments, in particular, are limited in scope, generally focusing only on computing environments, systems, system components, and processes that are involved in the store-process-transmit territory of cardholder data.
Focusing on the cardholder data alone can leave a business at risk when it comes to applying security in other areas – and a PCI assessor is only obligated to assess the security controls applied to the environment where cardholder data processing occurs.
Great effort is made by organizations to ensure cardholder data is processed in an isolated, segmented environment, ensuring that PCI requirements are only applicable in that narrow scope. However, if the approach to security is pass-the-audit, any inaccuracy in PCI environment scoping can put cardholder data at risk, along with any other non-cardholder sensitive data that resides outside the audit area of focus.
How to Effectively Secure Your Sensitive Data
Although it’s unknown what caused this particular breach, aligning your compliance efforts with day-to-day operational security efforts to produce an integrated view of risk is the right way to secure sensitive data. If you are unsure where to begin, check out CyberSheath’s blog post on the 3 Steps to Secure Your POS, which highlights three steps to get you started in the right direction. CyberSheath also offers security assessment services, providing a complete analysis of the strengths and weaknesses present in your current environment.