Jan. 30, 2009
Security vs. PCI Compliance
Reading accounts of highly publicized data breaches over the last few months occurring in companies that are seemingly PCI compliant, begs the question, “does PCI compliance equal security?” The answer is, “it depends.” Unfortunately no business is ever completely secure, but companies can mitigate their risk and make it much harder and more resource intensive for anyone to breach their defenses. Becoming PCI DSS (Data Security Standard) compliant provides baseline security and is a great first step. But it is critical to implement both the spirit and the letter of the standard.
Many companies only implement the letter of the PCI DSS – checking the boxes, if you will. They have technology and processes in place that satisfy the exact letter of PCI standards, but do little to provide real security for their organizations. For example, requirement 11.1 allows for the use of a wireless analyzer (and some other options, but for the sake of the example we will use a wireless analyzer) to test for wireless access points. It does not specifically state where companies must test for access points, or if they should check for channels greater than 11 (wireless channels 12 and 13 exist, but not in the USA). The point is that there is some level of interpretation required when answering the question. Can a company boot up their wireless analyzer, leave it stationary even though the company has a large store, only check for channels permitted within the USA and then check that requirement off the list? At the very least a company can make a strong internal argument that the requirement is met. As to whether or not their acquiring bank or another auditor would accept that as a valid response will likely depend on the entity.
The ideal practice is for companies to use PCI DSS as an opportunity to build and maintain a high security posture, reviewing and researching (if needed) each requirement to truly understand what it means and leveraging the exercise to develop policies and practices that best fit their business. As an example, let’s take another look at requirement 11.1 of the PCI DSS from a best practices perspective. Adopting the approach just discussed, the company would research wireless access points (if they are unfamiliar with them) and proceed to look for channels that do not normally exist in the USA. Further, they would walk around their location with the analyzer – both inside and outside – to see if they find additional access points that may not have shown up if the analyzer was stationary.
In order to become both PCI compliant and ensure a more secure business, companies should follow both the letter and the spirit of the standard. If there is a requirement that can be fulfilled, companies shouldn’t focus on simply meeting the bare minimum in order to check off a box on a form. Most of the time going a bit above and beyond the requirement can yield a lot more value to the company and in most cases does not add as much additional expense as may be perceived. So, for our requirement 11.1 example, if a company has already purchased an analyzer and trained their staff, does an extra lap around their facility really cost much more?
The PCI DSS will continue to evolve over time. If the changes from the 1.1 to the 1.2 are any indication, the PCI Council is moving towards forcing organizations to try and implement better security instead of just fulfilling a checkbox. Companies who focus on understanding the PCI DSS requirements and then securing their company based on the true understanding and spirit of those requirements will not only be more secure but will also need to make fewer changes to their security policy as new versions of the PCI DSS emerge.