Does PCI Compliance Equal Security?
Updated: Feb 28, 2019
As we talked about in last week’s post, the PCI Data Security Standard has established a near-universal set of technical and operational requirements to which all businesses that process credit card transactions must adhere. Accepting card-based payments is the norm in the hospitality sector—it’s a must for any hotel or restaurant hoping to offer the ease and convenience that today’s business and leisure travelers have come to expect.
Hence demonstrating and maintaining compliance is—and rightfully should be—of concern to all industry leaders today. Recent reports do indicate that they’re moving in the right direction: according to Verizon’s most recent Payment Security Report, 55.4% of organizations surveyed were found to be 100% compliant at an interim assessment. This is an impressive accomplishment, especially considering the cost and complexity of full compliance, and considering that this is the fifth consecutive year in which rates have increased.
The hospitality industry’s performance remained below average, though at 42.9% fully compliant, the industry still saw a significant improvement upon last year’s numbers (30.0% full compliance).
Overall, PCI DSS compliance rates are clearly on the rise. But it’s worrying to note that overall rates of data compromise aren’t decreasing in line with these improvements in compliance. Over the same five-year period, according to the 2017 Breach Level Index Report, the total number of breach incidents perpetrated by malicious outsiders rose from 662 to 1,269, with a peak of 1,336 in 2016. In other words, during a time when PCI compliance saw a 44.3% increase, the number of malicious data breaches grew by 91.6%.
Given these troubling numbers—and anecdotal accounts, such the story of the Target breach, which occurred just weeks after the retailer was certified as compliant—it’s tempting to conclude that PCI compliance, though it’s both mandatory and expensive, lacks any real security benefit.
But in the data provided in the aforementioned 2017 Verizon Payment Security Report, which analyzed more than 300 network intrusions involving payment card data, none of the breached companies was found to be fully PCI compliant at the time of the attack. Further, Verizon investigators claim that “of all the payment card data breaches.. [their] team investigated over the past 12 years, not a single organization was fully PCI DSS compliant at the time of the breach.”
How, then, can we explain the apparent disconnect between Verizon’s findings and the Breach Level Index data? A few facts about PCI compliance—its value and its limitations—can cast more light on the real relationship between compliance and information security.
#1: Being Certified Compliant Doesn’t Mean You Really Are
It’s a commonplace—and entirely reasonable—assumption: if your organization passes the annual compliance assessment conducted by a Qualified Security Assessor (QSA), who has been certified by the PCI Security Standards Council, you must be fully compliant. This only makes sense, right?
But QSAs have only a limited amount of time to spend on each assessment. Their methodology necessarily relies upon user-reported information (interviews) and sampling. They simply do not have enough time to review a comprehensive collection of system event logs, check all network and component configuration settings, and comb through all on- and offsite data repositories. Just as the interview—as a method of data collection—is inherently subject to human error, sampling is by nature incomplete. It’s not uncommon for organizations to discover compliance gaps soon after certification—gaps that were missed by QSAs.
#2: True Compliance is a Dynamic Process, Not an Annual Event
Another commonplace assumption among hospitality industry leaders is that PCI compliance is fundamentally a one-time event. If you’re found to be in compliance at the time of your annual assessment, this logic goes, your security is guaranteed for the following year. But nothing could be further from the truth.
In fact, PCI compliance requires ongoing effort, including employee training, monitoring system events and configuration settings, and installing software updates. Failure to perform any one of these tasks can cause your organization to fall out of compliance, even if your certification remains current.
Verizon’s own breach investigations emphasize this point: all the breached organizations Verizon surveyed had failed to maintain full compliance, most often by neglecting to maintain accurate system and user activity logs, disregarding software patches, or mistakenly altering secure configuration settings.
#3: The PCI Standard is Subject to Interpretation by Individual QSAs
The PCI DSI is written in the form of a checklist, with each requirement comprised of a series of sub-requirements, and each sub-requirement defined such that compliance (or non-compliance) can be stated in binary terms (yes/no). This makes it seem that compliance is simple to verify.
But consider, for instance, sub-standard 11.2, which states that organizations must “run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).” At first glance, it seems that determining whether or not an organization performs quarterly network vulnerability scans would be easy to do. But the individual QSA is in fact tasked with deciding which network changes rank as “significant.”
And, on the one hand, because QSAs are paid by the organizations they’re hired to assess, they may be subtly pressured to let small problems slide, or risk not being re-hired for next year’s assessment in favor of an “easier” consultant. On the other hand, a forensic investigator, seeking to determine a breach’s cause after the fact, may be motivated to apply a stricter definition of the term “significant.”
#4 Like the Security Industry Overall, PCI DSS Favors Prevention Over Rapid Detection
The current PCI standard mandates that compliant systems include only two specific software applications or devices (anti-virus software and a firewall), and both are intended solely to prevent incursions rather than increase the speed with which organizations can identify and contain breaches.
Anti-virus software programs are reactive by design, requiring near-constant updating yet still leaving subscribers vulnerable to as-yet undiscovered malware variants. Firewalls, though commonplace and necessary, are intended as a “first-line” defense, blocking intruders at the network’s perimeter, and making their strongest contributions to overall security when serving as part of a multi-layered, defense-in-depth strategy.
PCI DSS does not mandate the use of a SIEM tool or other system event visualization platform, despite the fact that the use of such advanced analytics can significantly reduce the amount of time it takes to detect a breach. And this despite the fact that integrating SIEM and advanced threat protection platforms with firewalls and anti-virus programs demonstrably improves their performance.
In summary, PCI DSS—as you’ll recall from last week’s article—was developed to protect the interests of the banks issuing payment cards, not the merchants who rely upon them to do business. It’s far more difficult for organizations to maintain compliance than it is to obtain it, and quite easy for forensic investigators—and card issuers—to discover noncompliance after the fact—and use it as grounds for finding liability.
Nonetheless, attaining true compliance—an ongoing process that requires effort, care, and thoughtful attention from employees in many roles within your organization—has real value, in terms of both security and protection from liability. Maintaining real compliance for its own sake can seem difficult, complex and costly. But compliance can also come as a simple by-product of choosing a multi-layered, defense-in-depth security platform that includes advanced network monitoring tools and behavioral analytics. And partnering with a managed detection and response provider like Netswitch can make this option surprisingly affordable.