HOSTING just successfully validated our PCI-compliant status as a Level 1 Service Provider again this year, and that got me thinking about a little webinar I did in May called “SAS-70 is Worthless – Why You’re Looking at the Wrong Reports” (I’m admittedly a little proud of that title). In that webinar I mused on a couple of – we’ll call them – assumptions in the business world when it comes to validating that your outsourced IT providers have strong security controls in place to protect your data.
Why would an organization trust a 1980s financial auditing standard to assess modern IT security controls? Why do security professionals trust CPAs to assess IT environments at all? Why aren’t many providers using newer assessment frameworks specifically targeted at IT outsourcing?
PCI DSS is certainly a more tactical, targeted, assessment of IT control environments—a true data protection-focused framework. It’s not perfect. No pre-fab list of security controls will ever be perfect, but as far as my primary beefs with the SAS70/SSAE16/SOC1 stuff goes, it does pretty well:
- Based on the IT-focused, well established ISO-27000 standards
- Developed and maintained by a community of global security pros
- Assessed by trained professionals with decent conflict of interest controls
Even with the ever-present complaints of vagueness in some parts of the standard, the simple pervasiveness of the standard makes it the single most approachable IT security framework out there. The huge market for PCI assessment services (there are ~8.5m merchants in the US alone) means that there’s also a huge range of methods and services to validate compliance. I’ve even recommended PCI DSS as a framework for people handling sensitive data other than credit/debit cards, for example, healthcare.
Unlike most regulatory controls, PCI actually provides a prescriptive framework to get you started with a strong set of security controls. Where HIPAA effectively states “figure out what your risks are and do something about it”, PCI says “look… risk assessment is CRITICAL to having a complete set of controls, but regardless, if you’re going to be putting sensitive data online, you need to be doing x, y, and z.”
PCI may not be the custom house built exactly to your unique specifications, but it’s certainly the pre-furnished luxury condo that’ll keep you comfortable straight away. So why have I implied in the title of this post that PCI, apparent saviour of IT pros everywhere, is worthless? Because no one ever does it right.
Think that I’m reaching a bit too far? The PCI Security Standards Council themselves have previously asserted that no breach has ever occurred on a compliant environment. Read another way, the safe harbour from financial liability for fraud associated with card theft has never been successfully claimed by any merchant. Still think your business is protected?
This is further irritated by the PCI Council’s own compliance validation policy. It’s prohibitively expensive for most merchants to implement all of the security controls in the PCI DSS, but they’re also the ones that have the most relative risk. Culpability for fraud associated with credit card theft is most likely to have the small to mid-sized enterprises shuttering their doors. You don’t see TJ Maxx in dire straights following their record setting breach. Well, at least not because of the breach.
Smaller merchants that do not store credit card information are only required to complete an abbreviated questionnaire that covers a handful of the easier security controls. This system helps reinforce the perception that PCI compliance is effectively patching your servers and running a $25 network scan every couple of months. What nearly everyone misses is this statement from the separate questionnaire document: “According to payment brand rules, all merchants and service providers are required to comply with the PCI DSS in its entirety.”
This is again backed up by this assertion that merchants check off on their attestation paperwork, often without realizing the weight of the statement.
It gets worse with a marketplace that advertises endless PCI compliant solutions: a suite of security technology that makes you compliant, or scanning services that can magically alert you to any violation without even logging into your website. Hell, I’ve even heard “PCI Compliance in a Box”.
What’s really frightening however is that the merchants who put their trust and often the very survival of their business in the hands of outsourced IT providers are doing so with nearly no information. That same little piece of paper that they fill out—the Attestation of Compliance—is generally what they receive when they ask about their provider’s PCI compliance status. Herein lies a secret: all those assertions that the merchants make about being 100% compliant with every PCI control? They don’t apply to service providers. We, as service providers, get to decide, mostly for ourselves, which ones are relevant (page 11 of the PCI DSS 2.0 standard makes a vague reference to service providers making a list of what is going to be applicable to them). This is even the case for those of us that do a Level 1 validation and are audited by a qualified third party security assessor.
So I think I’m ready to say it, here it goes: PCI compliance (with no context to the scope of the assessment and not mapping any of its applicability to my environment) is worthless.
Ok, so I hedged there a little but. But I think that’s the right way to look at it. It’s not like any of us are going to suddenly stop leveraging computers, the internet, and cloud computing to deliver our products and services. We certainly cannot simply decide for ourselves to abandon PCI and stop filing our annual compliance paperwork. But what can we do to effectively, economically manage risk for the ever growing reams of sensitive data that we must interact with?
Here goes: Start with a simple conversation.
Hardly anyone ever asks how my data will be protected, and no one ever asks for the details of what PCI controls were included in our assessment, what products and services they are relevant for, and what am I—the customer—still responsible for? Which is why I’m ecstatic that we are now including all of this information, as compiled by Trustwave who conducted our assessment, with every copy of the Attestation of Compliance that we distribute to our current and potential customers.
It will never be “Compliance in a Box” but I think it’s a step in the right direction. Already we see people who get the report asking more questions – and thinking more on the risks that together we must manage to successfully leverage the awesome power of the cloud. And that is truly a worthy thing.