Five 'Truths' About PCI Compliance and Cybersecurity

Posted originally on Wired, InnovationInsights blog

In my last blog, I dispelled three common misconceptions about the Payment Card Industry (PCI) Data Security Standard. And to lend further insight about PCI — especially with regard to its impact upon your cybersecurity assurance — I’d like to share five "truths" that you must know about your approach to cybersecurity and PCI compliance:

1. Never separate PCI compliance from your overall security efforts.

   Many organizations make the mistake of putting PCI in some kind of box, practically removed from the security program. But PCI is a data security standard. How can you compartmentalize a framework that was originally intended to measure the maturity of a company’s security program, particularly as related to the protection of payment card data? This approach is highly flawed and speaks to the way PCI has been misapplied and misinterpreted.

2. Choosing the right (Qualified Security Assessor) QSA makes all the difference in the world.

   With this in mind, companies need to hire PCI assessors who are experienced information security professionals and truly understand the payment card industry security requirements. Not CPAs who became auditors and last week were conducting audits against Sarbanes-Oxley, Gramm–Leach-Bliley Act, Health Insurance Portability and Accountability Act, or some other regulatory standard. Beware of certifications as well; a CISSP does not an information security professional make.

   There are potential conflicts of interest if a QSA company also provides additional managed security services or remediation services. While reputable companies fit this model, ask yourself: does the QSA really have the companies best security interests in mind, or are they really upselling other services?

3. Pay attention to what the PCI Data Security Standard (DSS) already requires or strongly recommends.

   I’ve read several articles recently about what to do “over and above” your PCI compliance initiatives to ensure you are secure and won’t be the next victim of a breach. I’m surprised at how many suggestions are already addressed by the PCI DSS.

   Segmentation of cardholder data is highly recommended already by PCI. The standard requires the implementation of controls which monitor and restrict network traffic from point-of-sale (POS) registers and back-office systems. If you’re not already doing so, you’re both insecure and non-compliant (no matter how much you’ve already paid to be compliant).

   Providing additional security measures to POS systems? POS systems must already be single purpose, and there has to be a layered approach to protecting applications running on those registers in terms of external/internal systems.

   Restricting access to USB ports is a great idea and already a requirement, but consider that most PIN Transaction Security (PTS) / Point of Interaction (POI) devices are plugged into the POS system via a USB port. Even if you disable all other USB ports, there still is at least one for the POI. (Not to mention the occasional monitor, keyboard and mouse.) What prevents an attacker from unplugging an authorized system component or peripheral and taking advantage of that port? The PCI Council has answered this question by requiring more stringent physical security controls for these POI devices in the newly revised PCI DSS version 3.

4. It’s not enough to acquire and implement tech tools — you have to understand them.

   PCI requires daily (or automated) review of all system and event logs to detect malicious activity. Thus, there are an abundance of automation/analytics tools out there, all claiming to bring the “magic bullet.” While it’s true that automation and analytics are key, acquiring and implementing them will do you no good if you and/or your internal IT teams have not taken the time to comprehend what you’re seeing and what’s being reported.

   Over the years, the most secure networks I have seen at companies are the ones where there are certain individuals (or teams) that take it upon themselves to “know” their network, the business processes and data flows, and the overall operation. They are the ones most likely to notice anomalous behaviors -- either directly or by observing the outputs of tools that automate the culling of this type of data -- and they are the ones that most often save the day for their companies.

5. Your security analyst team must be properly trained and should be highly valued.

   Obviously, these types of individuals are hard to come by; they don’t grow on trees. They often are not motivated in the ways that others are motivated -- namely, it’s not always about the paycheck. More often than not, it is about recognition and appreciation -- not even from within the company or from management but often from their peers in the professional community at large.

   Still PCI attempts to establish a baseline of qualifications for these types of individuals. PCI does not speak to headcount. But it does require that daily operational procedures are assigned to specific individuals/roles – individuals who receive adequate, ongoing training in their areas of focus. In addition, individuals with incident-handling responsibilities require annual specialized training to learn how to properly analyze and respond to incidents and events, such as when to escalate. You can’t pay lip service to their shift length either. They have to attentively monitor and act upon security alerts. If they’re fatigued, they increase the risk of overlooking a high-priority situation.

   Realistically, many merchants outsource the monitoring/detection responsibilities to managed security services providers. I don’t know how a merchant can be assured that the provider has sufficient staff, or whether those employees are trained to review and detect anomalous behavior. (As opposed to merely being capable of waiting for an automated alarm.) When you outsource responsibility for the security of your network to a third party, you are putting your company’s “life” in someone else’s hands. Is this a fiscal necessity? Perhaps, but is it really more cost-effective in the long run?

In reality, these “truths/must do’s” represent only the foundation of optimal PCI compliance/cybersecurity operations. In the next two blogs, I’m going to dig deep into the details behind best practices which must be incorporated into all of your cybersecurity initiatives.