Chaordic Mind

This is a re-post of an article I wrote for IT Compliance Advisor, a part of TechTarget.com, in August 2009.  I find the material to be just as applicable now as it was then.  You can find a list of reference material here.

One of the problems that many companies face is staying ahead of the information security curve. Go too fast and you run the risk of wasting capital, but run too slow and you run the risk of being compromised. So how a company can escape the hamster wheel of pain? Be proactive in managing risk and implementing a maturity framework for the organization.

In an attempt to balance the two domains of cost and security, a continual tradeoff, many companies have implemented regulatory compliance standards. These are good tools for measuring ones security to a known industry baseline. The classic example of this is the Payment Card Industry Data Security Standard (PCI DSS). Using standards like PCI DSS, companies can measure their adherence to eliminating sensitive data and protecting the remaining in-scope systems.

There are two problems with aligning an entire information security model along any singular guideline. It should be noted that, in the absence of any information security program, PCI DSS is a very good baseline standard.

The first challenge is the 0-to-100 problem. Some companies start with no information security program and try to adhere to something like PCI DSS. Much like measuring the acceleration of a car by how fast it can go from 0 to 100 miles per hour, these companies struggle with getting from 0 to 100 percent compliance in under 12 months. For these companies this means implementing security for the sake of a deadline, which means not always having the time to test what works and what does not.

The second challenge is the security limiter problem. Once companies reach 100 percent adherence to a given standard, many times they stop developing their information security program. These companies then enter a vicious cycle of identification and remediation. Each year, their auditors alert them to a new set of issues and, each year, the companies fix those and then relax until the following year.

So how do we escape this endless cycle of identification and remediation? How do we provide a way for companies to go from 0 mph to 50 mph in year one, 50 to 100 in year two, and still be inspired to go from 100 to 150 in year three? How do we become proactive instead of being reactive? One option for addressing these problems is the capability maturity model (CMM) that involves risk management.

A CMM is nothing new or innovative. It’s a useful approach for managing the maturity in a system. The Computer Security Handbook 4th Edition reveals that CMMs originated from software development. This book states that a CMM “can be used as a way to assess the soundness of a security product builder’s engineering practices during the many stages of product development.” If a CMM can be used for measuring the soundness of engineering practices, then why not leverage it to measure the soundness of information security practices?

A maturity model encourages continual growth rather than strict adherence to Procrustean boxes of information security. It’s the mathematical equivalent of the integral or the continual variable transmission of an automobile. It provides a smooth curve instead of designated endpoints of information security. For companies suffering from the 0-to-100 problem, a maturity model enables growth from 0-to-50 initially, with the projection of moving from 50-to-100 at a later date. Companies that suffer from the security limiter problem have the ability to continuously and proactively plan information security development to parallel growing business needs, instead of an independent set of criteria.

The Information Security Management Maturity Model (ISM3, or ISM-cubed) provides us with the intersection of information security and a maturity model for growing an information security program. ISM3 describes the process this way:

“Rather than focusing on controls, it focuses on the common processes of information security, which are shared to some extent by all organizations.

Under ISM3, the common processes of information security are formally described, given performance targets and metrics, and used to build a quality assured process framework. Performance targets are unique to each implementation and depend upon business requirements and resources available. Altogether, the performance targets for security become the Information Security Policy. The emphasis on the practical and the measurable is what makes ISM3 unusual, and the approach ensures that ISM systems adapt without re-engineering in the face of changes to technology and risk.”

In fact, the ISM3 is based in part on extending the Systems Security Engineering Capability Maturity Model (SSE-CMM), which is ISO standard 21827. The SSE-CMM “describes the essential characteristics of an organization’s security engineering process that must exist to ensure good security engineering.”

In addition, consider the Building Security in Maturity Model (BSIMM), which is “designed to help you understand and plan a software security initiative.” As well there is the, Open Software Assurance Maturity Model (OpenSAMM) project that can “help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization.” These frameworks exist as tools for helping develop the maturity of organizations and software through the use of measured metrics.

And metrics is where all the magic really happens. Only by measuring the maturity of an organization and matching it to the development and progress of known attacks can we demonstrate that we are maintaining the balance between costs and security. There is a saying that if you and your friend are being chased by a bear, you don’t need to outrun the bear — you need only outrun your friend. In the world of ever-increasing compromises, many companies struggle to stay ahead of the curve. A maturity model, with proper metrics, can help your organization do just that. The best part? Companies that implement a maturity model and show measured growth are many times more likely to adhere to industry standards such as the PCI DSS.

Abstract

As regulation-deregulation cycles rise and fall, it is important to understand how the evolving landscape of compliance impacts your future. This post proposes maintaining compliance but making validation an opt-out optional component – a radical change from the status quo.  Evidence already suggests the industry is moving in this direction and changes to compliance are necessary for the continuance of risk management.

Please understand that when I say opt-out, I am referring to mandated external, third-party validation requirements. I think internal validation is more important than ever.

Special thanks to idea people: @lennyzeltser, @mckeay, @alexhutton, @kindervag, @joshcorman

Background

I recently read Lenny Zeltser’s blog titled “Could Regulatory Compliance Encourage Weaker Security?” This is a valid question and one that needs addressing. The question can be rephrased as, “Who does compliance work best for?” To answer that question we need to understand why compliance exists.

In a blog post I wrote on How Compliance Regulations Gets Made we focus on the natural regulation-deregulation cycles and how they exist in response to an increase or decrease in data breach/loss. The ultimate goal of compliance is to set a baseline of standards within an industry. The question Lenny raises is one I’m often asked by opponents of such standards, “what about the big/little guy (who do not fall within the Bell Curve norm for best practices)?”

It’s true that regulatory compliance is targeted not only at setting a minimum standard for technical security (firewalls and IDS) but also a minimum standard for security maturity (policies and procedures) within an organization. So let’s think about this graphically. There are four quadrants within which to place organizations: those with either high/low-level of security and high/low-level of maturity.

Security vs Maturity

For the purpose of this conversation let’s assume that maturity encompasses the Check and Act aspects of the PDCA Cycle and security refers to the Plan and Do components. The reason I break it down this way is to directly reflect the results of the Verizon PCI Compliance Report (PCIR). This report found that:

“Organizations are better at planning and doing than checking. If the check phase is broken, they cannot act to maintain the state of security over time.”

The Verizon PCIR found that organizations are great at Planning and Doing but not great at Checking and, as a direct result, Acting on those changes. To me this disconnect is the difference between organizations with a high-level vs low-level of maturity within their security practice.

With this in mind, let me suggest that regulatory compliance standards should most impact those organizations with a lack of either security or maturity, but not both. So let’s break this down and the types of organizations they embody.

1. High-Security / Low-Maturity: These companies care about security but have never documented policies and procedures. They have log management systems but have slowly stopped reviewing them. Regulatory compliance can have a positive impact here.
2. Low-Security / High-Maturity: These or organizations run well but with little funding for sorely needed security projects. There has never been a “hammer” to drive spending. Regulatory compliance can have a positive impact here.
3. Low-Security / Low-Maturity: These are organizations that do not care about security or compliance. Perhaps they are too small (mom-and-pop companies) or those that will validate compliance but never maintain it through the year. There is no changing these companies and little that compliance can do for them. Validating compliance for them is a waste of time and money and since there is no driver to maintain a state of security.  (Instead new technologies such as tokenization, end-to-end encryption, and validated payment applications will have the highest impact here.)
4. High-Security / High-Maturity: These are companies at the top-tier of their breed. They don’t manage security, they manage risk! They adopt and implement custom risk management solutions based on careful analysis of data classification and impact analysis reports. These companies see regulatory compliance as a roadblock and implementing industry “best practices” as a deviation from their perfect path.

I propose that regulatory compliance will most help groups 1 and 2, but not groups 3 and 4.  (Unless you consider regulatory compliance the driving force for said technologies above, though I would argue data breaches and word of mouth have a higher impact here than compliance.)

Although I believe in the need for increased education, flexibility of controls, and more data for risk modeling – I’m going to save us a bit of time and skip to the chase.

• Companies in group 3, who do not care about compliance or security, will not change their tune by forcing them to validate compliance.  Instead the end result will most likely be in them checking a box and ending up in the 80% of companies (see: Verizon PCIR) that do not maintain their state of compliance.
• Companies in group 4, who care passionately about risk and security, need a reprise from continually validating against a standard that is built for the average individual. Although, the stated way to address this for PCI compliance is through documenting a set of Compensating Controls, what other options do we have out there? What other ways are there for such companies dealing with compliance validation?

Remember, the stated goal of regulatory compliance, taken from regulation-deregulation cycles, is to reduce the number of data breaches and data loss. In both groups 3 and 4, continual validating against a standard may, in my opinion, have little to no impact on the number of data breaches/loss. The reason is that group 3, though validating will not maintain that validation, and group 4, treat validation as an exercise in documentation.

Other Options

On February 6, 2011, Visa launched its Technology Innovation Plan (TIP) “to recognize and acknowledge merchants in Visa Inc. regions outside of the United States that have taken action to prevent counterfeit fraud by investing in EMV technology.” (Since Visa Europe is a franchise, the “outside the US” may only apply to Asia-Pacific and Latin-America & Caribbean, but it’s a bold change we should view as the tip of an iceberg.)

In essence, they are saying that organizations that have achieved the following, need not continue to validate their compliance against the PCI DSS standard:

• Implemented a sufficient level of controls so as to reduce fraud* (see: EMV)
• Validated their state of compliance once
• Have not suffered a data breach

* Yes, fraud is discernibly different from data breaches but one leads to the other and as a result are interconnected.

Wow, what an innovative approach. I’ve talked about the TIP program with industry insiders and they are mostly in agreement that we don’t know if this will result in positive or negative changes. I feel it will be a great success and here is why.

Opting Out of Validation (Not Compliance)

Presently companies that validate their state of compliance need to submit two things: a validation document (either a self-assessment questionnaire or a report on compliance) and an attestation of compliance (AOC) document. The AOC is nothing more than a memo that reiterates that organizations commitment to following the payment-brand rules for protecting payment card data.

I think organizations that choose to opt-out of compliance validation should still need to sign the Attestation on Compliance (AOC) to reaffirm their social contract and commitment to protecting payment card data. If they fail to achieve this within their, alleged, super-robust security and risk program then they deserve to undergo the same forensic review and financial implications that come with any other organization. If they instead achieve in protecting payment card data and are able to repel the wily-hacker then they should continue their reprieve from annual compliance validation (perhaps they can externally-validate every 2 or 3 years).

The reason I suggest this is because, and here’s the kicker, you cannot tell the difference between a PCI compliant organization and one that has let security and compliance lapse until they experience a data breach. Until that point, both organizations appear, from the outside, to be operating in the same manner.  (Sure, you can tell a difference internally, but so far very few organizations that achieve compliance once organically maintain it year-over-year.)

But Wait – It Already Exists

The PCI Council has already rolled out the Internal Security Assessor (ISA) program and MasterCard has begun listing this qualification as part their validation program requirements.

“Effective 30 June 2011, Level 1 merchants that choose to conduct an annual onsite assessment using an internal auditor must ensure that primary internal auditor staff engaged in validating PCI DSS compliance attend PCI SSC ISA Training and pass the associated accreditation program annually in order to continue to use internal auditors.”

(Ok, so Visa has not adopted the same stance and companies that store, process, or transmit payment card data for both brands must adhere to the minimum standard for both, but still it’s a change.  Also, the payment card brand validation guidelines are guidance for the acquiring banks who have the ability to manage their validation programs on a case-by-case basis.)

This means that many organizations (there are exceptions) who wish to opt-out of formal validation can do so leveraging their internal assessor team.

Conclusion

What we have is a directional movement towards, what I will call, selective deregulation. Step 1 is the PCI SSC ISA program.  Step 2 is the Visa TIP program.  What is the next step? The only way to know is to wait and see.

I’m not proposing that we do away with validation entirely, but instead that we move into a hybrid approach towards validation that is based on risk, maturity, pas performance, and future commitment.  The market has spoken and the Council and payment brands are already responding.

My suggestions for you?

If you fall into category 1, 2, or 4 above – prepare the following:

• Develop a “heat map” of your internal risks, data types, and exposures
• Adopt a risk management strategy, however rudimentary or advanced
• Attend the PCI SSC ISA training ASAP

If you fall into category 3 above – investigate the following:

• Are you using a PCI validated payment software and hardware?
• Are you using PCI DSS validated service providers?
• Are you area of technologies that reduce the need for PCI compliance such as: tokenization and end-to-end encryption?

A friend recently asked me to help solve for him a Payment Card Industry (PCI) riddle.  Here is a sanitized and rewritten stub:

A competitor of ours is listed on Visa’s PCI list of validated service providers, but we know that they are not compliant with one of the PCI DSS requirements.  We know this because we operate in the same business model and there is no way that they or we can do this one thing.  My assumption is that this is a case of a Qualified Security Assessor (QSA) missing the boat.  Is there any way that we could also get compliant?

To which I replied:

(1) You can always become compliant. (2) The details are not always what they may seem to you or your competitor. (3) Also, compliance validation is in part to do with the Acquiring Bank and or payment brand.

You seem to think you know everything there is to know about your competitor but in all likelihood you do not – nor are you a beautiful and unique snowflake that deserves special consideration.  Nuances unimportant to you may have a big impact on compliance. I’ve heard this argument before – if they do it why can’t we? The answer is because you know better.

Also, your competitor’s acquiring bank or validation entity may permit them to operate in a certain capacity based on factors unknown to you.  My advice is to talk to your acquiring bank or payment brand and ask them to work with you on a solution.  If you don’t want to do that it’s because you know the answer you will get and just don’t like it.

Alternatives

Of course there are work arounds.  My latest mantra of compliance has been to stop teaching people how to comply and instead teaching them how to develop a risk management program with compliance a natural byproduct rather than an end goal.

To do this you need to know what rules you need to obey, which you can bend, and which you need to work around.  Here is a short list of work arounds.

• Compensating controls
• Segmentation: network, operational, physical, role based
• Tokenization or data surrogacy
• Scope reduction
• Point-to-point encryption
• Remove the data
• Truncate or mask the data

The list goes on.

People love to talk about Cloud and they love to talk about PCI. In the past two years the mashup of a PCI Compliant Cloud has been on the forefront of many peoples’ mind.  This post will outline the three key rules of [PCI] Compliance in the Cloud.  To introduce these rules, I’ll ask the question, “can any firewall be used to segment a network?”  The answer is a resounding “No. Only a properly configured firewall can be used to segment a network.”  In the same say, “Can any Cloud be PCI compliant?” By now you should be saying, “No. Only a properly configured Cloud can be deemed PCI compliant.”

3 Rules of Cloud Compliance

1. Compliance is based on the service being delivered, thus we cannot compare PCI-compliant-cloud to PCI-compliant-cloud until we compare the service levels.  Much like a SAS-70 (third-party assessment of a service provider) that only assesses the “control objectives” as defined by the service provider, saying one is PCI compliant in the cloud is situationally dependent on the control objectives or service levels being offered/assessed.

Even if we examine, Infrastructure as a Service (IaaS) the level to which one is validated as compliant is only that which the service offering delivers.  Depending on the level of service the IaaS provider offers may determine the level of effort remaining for the customer to be fully PCI compliant.  For example, the following are three different levels of service offered by hypothetical IaaS Cloud providers:

• A base operating system – in which case the customer must configure it securely according to PCI DSS Requirements 1-8 and 10-12. In addition they may require an independent PCI assessment.
• A hardened operating system and managed security services – in which case the customer must secure the data and manage security alerts according to PCI DSS Requirement 3 and parts of 10 and 11. In addition they may require an independent PCI assessment.
• A hardened operating system, managed security services, and professional service offerings – in which case the customer must verify the outsourced team has properly secured the data, manages security alerts, and performs an annual PCI DSS assessment of the client’s environment.

If you are interested in a good description of service delineation for PCI compliance, check out this example coverage summary table. It clearly shows what they do and what their customers must do to achieve PCI compliance.

2. Compliance is only as strong as the security of the implementation.  (See also: the opening paragraph of this post.)  People love to hate PCI Compliance in the Cloud.  They say it’s not possible.  They ask about multi-tennancy.  They say many things, but at the end of the day if you can secure data in the cloud then you can be compliant in the cloud. It may not be the way you want to configure your systems, and not every implementation can be found compliant, but it’s possible.

The end result is that, YES, you can be PCI compliant in the Cloud – it just depends on how you’ve secured the configuration.

3. PCI compliance for a company is based on their individual compliance plus that of any outsourced vendors.  Migrating to a PCI compliant Cloud vendor will not magically make your entire enterprise PCI compliant. It will not obviate you of your PCI responsibility.  At a minimum, all organizations that use their own merchant ID must comply with PCI DSS Requirement 12.8, which states that organizations must verify proper third-party contracts exist with their cloud vendors and to check the annual PCI validation of their cloud provider.

PCI compliant Clouds can only enable compliance, they will not make you fully compliant.

Notes

In 2008, Chris Hoff asked on his blog if a very specific implementation of Cloud could be PCI compliant.  He received a variety of answers that ultimately pointed to Rule #2.  Although not every cloud may be PCI compliant, there are implementations that can (and have) validate as compliant.

In 2009, Martin McKeay blogged in response to verbiage from Amazon EC2′s PCI compliance statement that one cannot be compliant in that cloud. I actually think Amazon did the right thing by directing users to only accept payments via their Flexible Payment Solution (FPS).  Instead of trying to educate the millions of end users on how to secure their systems and achieve PCI compliance, Amazon make it simple by telling them to direct payment acceptance to a single, secured system.

In 2010, I updated a my 2009 SOURCEBoston presentation on PCI Compliance in the Cloud to discuss if PCI Compliance will Help or Hurt Migration to the Cloud.  This webcast clearly states that, YES, you can be PCI compliant in a cloud environment, just not in every cloud.

I’ve also done two podcasts on PCI Compliance in the Cloud.  One in 2008 and another in 2009.

• Cloud Computing and PCI Compliance (part 1) [2008]
• Cloud Computing and PCI Compliance (part 2) [2009]

I’ve waited longer than usual to write about my feelings on the newly released PCI DSS and PA-DSS v2.0 standards by the PCI Security Standards Council.  I’ll give my own impression and then do a round-up of the various other blog posts and reactions to the update.

Executive Summary

Don’t panic! This too shall pass. (It’s true.)

Timelines

Since v2.0 was released October 28, 2010, the big question is when do I have to start using it and how long as I used v1.2.1?

• PCI v1.2.1: Can be used through the end of 2011. Organizations that are working under v1.2.1 must submit final reports no later than December 31, 2011.
• PCI v2.0: Reports using v2.0 will not be accepted prior to January 1, 2011. Any assessment started after January 1, 2011 should begin to use v2.0.  Any assessment started after December 31, 2011 is required to use v2.0.

Changes Summary

The PCI Council moved from a two (2) year to a three (3) year standards cycle meaning the standards will stay static until 2013.  Tastes great vs Less filling?  People will say this is bad because it does not change, but as Bob Russo stated [26:30] in his podcast with Martin McKeay, “as the landscape changes there is an errata process that involved in the standards. So ee have the ability to issue errata anytime we need to, and if there is something that affects the standard and we have to address it immediately we are able to do that.” In addition, there are the various Special Interest Groups (SIGs) creating content and clarification in areas such as: scoping, encryption, tokenization, virtualization, Chip and PIN, wireless, etc.

The actual changes to the standards were more evolutionary than revolutionary.  This means they were clarifications and consolidations rather than major changes.

The #1 change to impact the industry is not the release of v2.0 of the standard, but release of the PCI Scoping Guidance documentation (still to be released) from the PCI SSC Special Interest Group (SIG) on Scoping. (Full disclosure, I participate on the Scoping SIG.) The scoping SIG is lead by Gene Kim, founder of Tripwire, and include participation from QSAs and merchants alike.  This guidance documentation has the potential to clarify the way we look at the application of every control.  I believe it will bring standardization to the scope of assessments.

Check out Gene Kim’s presentation: 2010 07 BSidesLV Mobilizing The PCI Resistance 1c

For details on changes to the standard, ‘I recommend reading the following two summaries:

• Qualys tech has a nice writeup of the key changes
• Davi Ottenheimer has a good writeup on the Flying Penguin

The key changes I want to highlight:

• Virtualization: Yes, PCI DSS Requirement 2.2.1 is updated to use the word “virtualization” and it’s included in the overall scoping documentation as well.  I’ll defer to Chris Hoff’s writeup for details. Remember that compliance standards should be “technology agnostic”, as such any new technology can [theoretically] be used to comply with the standards as long as they are properly secured.
• Risk Management: The emphasis for risk management increases.  It started with PCI DSS Requirement 12.1.2 which notes an “annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment.”  Now, PCI DSS 6.2 expands this to risk ranking vulnerabilities with, “establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities.”  Though this is a recommendation until June 30, 2012 when it becomes mandatory, I don’t understand why anyone would NOT want to take a risk based approach.
• Secure SDLC: The PCI DSS Requirement 6.5, formerly applicable only to “web applications”, now applies to all developed applications.  It is no longer tied to OWASP but now recommends best practices such as the OWASP Guide, SANS CWE Top 25, CERT Secure Coding, etc.

As many of you know EMV, or more commonly referred to as Chip and PIN (Chip/PIN), have been a long time structure in areas such as Europe and most of the Asia-Pacific region.  Europe made the transition between 2001 to 2006.  Canada has a mandate of October 2010 for implementation and the intra-region liability shift.  The US it seems is now entering the came with a few very small but significant moves.

• Wal-Mart has asked for Chip-and-PIN saying that now is the time to roll it out.
• In May 2010, the United Nations Federal Credit Union (UNFCU) became the first financial institution to begin issuing Chip/PIN cards.
• It should be noted that although AmEx is not technically a “financial institution” in the US, it did issue its “Blue” card with a chip for such transactions in Europe.

So will this bring us all the safety and security we want?  What will this change mean for cardholders and retailers?  Those are more complicated answers and the answer really varies from one region/country/bank to the next.  Here’s a few things that Chip/PIN changes do mean.

Liability Shift

If you read the Visa OpRegs you’ll see three different listings for liability shift.  Merchants that accept Chip/PIN transactions are not always liable for fraudulent transactions since the understanding is that they are asking for both a card and the PIN (something allegedly only the cardholder knows.)

These shifts in liability can be either domestic, intra-region or bilateral shifts (according to Visa).  MasterCard says of domestic liability shifts, “A shift in liability to the non-EMV compliant party, fraud liability is born by non-EMV complaint party for all regional transactions.  Bilateral shifts existed previously between the various Visa Regions, “Visa EU and CEMEA signed a bi-lateral agreement in order for the liability shift rule to apply for international transactions between both regions as soon as the CEMEA rule went into effect on January 2006.”

This shift takes the liability off the merchant, but who does it go to?  Well according to the Financial Ombudsman Service (FOS) in the UK that handles consumer complaint disputes, it is the bank that is responsible for the fraud unless customers acted “without reasonable care”. This could include writing down a PIN or allowing someone else to use a card.  What does this really mean?  Well, banks around the world are struggling as consumers claim fraud and the banks claim “without reasonable care.”

Risky Business

In a ComputerWorld article, analyst Avivah Litan, says that “companies such as Visa and MasterCard should consider easing some of their security requirements for U.S. merchants willing to make their payment systems EMV-ready. Visa has reduced the scope of its security audits in cases where organizations have implemented EMV technologies, and the same could be done in the U.S”

Pardon? (Fallacy alert!)

Let’s remember that Chip/PIN only helps reduce fraud at a singular merchant, it does not reduce the instance of payment card data theft.  In fact Chip/PIN transactions can be just as risky as magnetic stripe transactions from a data theft and skimming perspective.  Chip/PIN cards used as a payment terminal may leave “track equivalent data” which cannot be used to recreate the Chip but could be used to re-encode the magnetic strip on the back of traditional cards.  I mentioned this in 2008 and Gartner is still saying the same thing.

Conclusion

The US moving to Chip/PIN is a good thing and something that will drive down card-present fraud.  It may not directly impact payment card data theft and thus will not detract from PCI DSS compliance. I remember teaching a PCI DSS class of QSAs (back then CISP assessors) in the UK back in 2006.  They struggled with the problem that merchants in the UK thought they didn’t need PCI DSS compliance because they already had adopted Chip/PIN, something they already equated with “credit card security”.  I blogged about this from 2006 – 2007 to explain the differences between Chip/PIN and PCI DSS compliance and risks.

Companies that adopt Chip/PIN will still need to comply with the PCI DSS.  That being said, there are some benefits:

• Reduced interchange (in some instances)
• Reduced fraud (as measured in the UK by APACS)
• Liability shift for Chip/PIN transactions

Links

• Visa International OpRegs on Chip/PIN global mandates (2007)
• Visa Regional OpRegs for Canada (2008)
• Visa Smart Debit/Credit Certification Authority Service Description (2008)
• RBSWorldPay talks about liability shifts

A friend of mine and well known expert on the PCI standards, Branden Williams, blogged about “Does PTS apply to ATMs?“  For those of you still reading that question, PTS stands for PIN Transaction Security and was formerly known as the PIN/PED program.

The important question is which standard do you apply to automated teller machines (ATMs) which seem to exemplify the need for each standard to one degree or another.

Branden reminds us:

ATMs are payment devices just like the card swipe or chip & pin machines we see at mearchants all over the world.  The only difference is that they typically have larger displays, are heavier and more physically hardened, and they spit out money on request.  They’ve also become a great target for hackers to prey on the trusting human (with a fake ATM), or to add sophisticated skimming devices to steal and take advantage of consumer payment data.

It is important to not compartmentalize systems into Procrustean boxes and instead break them into their respective parts.  For example, a company may be both a merchant and a service provider (e.g. Amazon.com or Internet Service Providers).  In the same way an ATM can be broken down into its respective parts and the standards which apply.

• PTS applies to the PIN pad component
• PA-DSS applies to the software running on it (potentially)
• PCI DSS applies to the company that drives the ATM network

I don’t think many people have ever asked themselves what regulatory compliance has in common with immunization, but they should.  The fact of the matter is that these two have more in common than you think and understanding one will help you better understand the other and how to make better educated decisions.  In addition, there are trade-offs — both heath and economic — to the choices one makes in participating in vaccination and immunization programs.  The following addresses a few of these items and opens the doors for further conversation.

Why Comply? Why Vaccinate?

Immunization and vaccination are the process by which an individual or population is treated in order to fortify itself against attack from foreign bodies.  Vaccination against disease can help prevent contracting that pathogen in the future, and preventing multiple individuals in a population from becoming infected helps prevent the widespread outbreak and transmission of diseases such as smallpox, polio, measles, mumps, and anthrax.  By elevating the level of a population that is resistant to such attacks vaccines help protect the entire population from harm.

The problem is that although most all agree that vaccination is positive for the population not everyone agrees that it is positive for the individual.

Since vaccination began in the late 18th century, opponents have claimed that vaccines do not work, that they are or may be dangerous, that individuals should rely on personal hygiene instead, or that mandatory vaccinations violate individual rights or religious principles.

Have we not heard similar arguments against regulatory compliance?  Individuals stating that:

• My environment is already secure
• I know how to manage risk better than the regulatory bodies
• My environment is special and unique and does not fit into your Procrustean boxes

I’ve listened to people sing the virtues of regulatory compliance as often as I’ve heard other individual tell me “that sounds good but it’s not for me.”  I feel as if I’m mediating between the Center for Disease Control (CDC) and a troubled parent about why their child should be vaccinated before entering grade school.

Perspective

Part I

One of the problems with understanding the complexity of the problem is that of perspective.  The CDC and the parent have very different perspectives on vaccines and immunization.  In the same way, the regulatory bodies and those who must comply with them have very different views on how to best apply data security practices.

For example, it is widely known by the payment card industry (PCI) that the majority of small and medium merchants use one of a few brands of payment application.  Many retail merchants use a Micros, VeriFone, or Radiant Aloha (restaurants) point of sale (POS) application.  This high level of homogeneity in a population lends itself to attract attackers (pathogens) who wish to take advantage of any vulnerabilities they can identify in these systems.

The PCI Council, who act as the CDC, along with the card brands mandate that software companies validate their applications against a given security standard (in this case the PA-DSS).  They then introduce these more secure applications into the population and the governing bodies mandate their use over less secure payment applications.

So why not just stop there?  If things were that easy, the CDC would only ever have to worry about one pathogen using one attack vector.  If we secure the retail payment applications, attackers will just move to other industries such as petrol (gas) stations, ski resorts, and florist shops.  To which the industry responds with Dresser Wayne or Gilbarco, SKIDATA, and Teleflora Dove validated payment applications respectively.  The validated payment application program targets to inoculate every industry against the dangers of retaining data most valuable to attackers.

Part II

But what about the individual restaurant owner who says they don’t need a validated payment application?  They claim all the reasons mentioned above from the specialized nature of their business or network to the secure risk management platform they have already implemented.  Why should they comply?

I do not have a good answer to the ‘why’ but I do have one for the ‘how’.  In fact, about 95% of the ‘PCI Wars’ debate going on today try to answer the question of “why” when this is as futile as debating intelligent design vs evolution (because both are based on separate and unequal premises.)  Debating why one should comply is futile as the rules state that everyone who “stores, process or transmits” such data must comply (as per the card brand operating regulations.)

The more interesting question is that of how one should comply.  These examples reference the PCI standards but could apply to just about any regulatory compliance mandate.  The way in which one complies can be taken at a high level.  For the PCI standards it implies preventing the paper and electronic theft of payment card data.  In fact, any way that your company decides to do this implies compliance with the standard.

If parents didn’t mind sending their children to school in hermetically sealed bubbles, then there would be less of a public policy need for them to be vaccinate against disease.  In this way, the parent and child could make their own decision about data security without harming or posing a risk to the rest of the population of school children and their parents.  If your company can, via whatever means at your disposal, hermetically seal itself against attacks then the matter of compliance is simply an exercise for the user in creative documentation, reporting, and compensating controls.  The problem is, many companies over estimate their security controls and thus cause a break in the structure of data security.

Economics of Immunization and Compliance

When approaching the economics of immunization one cannot ignore the population at hand.  For example, a poorer population will benefit more strongly from an immunization program than one that maintains a high level of sanitation, health care, and treatment programs.  To the same degree a more vulnerable population (e.g. retail, restaurants, higher education, e-commerce, etc.) will benefit more from regulatory compliance than one that is more highly secure (e.g. government systems).

In fact, one of the primary catalysts for regulatory compliance is the build up of problems (e.g. data breaches) within an industry followed by the punctuated equilibrium that brings about a response founded in legislative and regulatory action.

The cost of making a population more secure is relatively simple: require them to use more secure applications and systems.  The cost to the individual can vary along with the benefits.  The same applies to vaccines.

One could go their entire professional life without contracting the flu but this is rather rare in my experience.  Instead many people will get the flu vaccine each year on the off chance they will come in contact with the virus because being bed ridden for 1-2 weeks can be both painful and detrimental to the company.

So what!

The cause of action to vaccinate a population is to immunize them from each other.  The process involves a uniform across the board preemptive treatment that is meant to mitigate risks, not prevent them entirely.  In the same way, regulatory bodies craft legislation as a one-size-fits all in order to protect the population from each other.  The individual implementation should see this as guidance and not a rule without exceptions.

The details of how one protects themselves against attack and infection may be unique to each individual, but they still must comply with the overarching industry agreement to protect themselves and thus the population against attacks.  The implementation will vary, of course it will.  One size does not fit all.  But the industry needs a standard, a baseline, against which it can measure risk.  As new infections and outbreaks occur, the industry will change the baseline to match the new attacks.

Those who can visualize the various perspectives will have a greater visibility into how they can better fortify their individual organizations to both validate against industry mandates and manage risk based on their specific organizational behavior.

When a situation is not risky, there is little need to manage or measure the risk involved.  This applies equally to lending money to friends, reading utility meters, and until a few years ago, handling credit card transactions.  With the growing risk to financial transactions there is a need to improve the ways acquiring banks, processors, gateways, and even merchants manage and measure their risk.

In fact, prior to the PCI DSS the metrics involved in measuring the risk in an acquiring bank’s merchant portfolio were rather basic.  You look at the number of transactions per month and categorize the merchants into business categories.  One would say that online gambling would be riskier than grocery stores.  The logic seemed flawless, at least for the environment at the time.

Unfortunately the environment changed and hackers turned from fame and glory seekers to those wanting large financial payoffs from their prowess.  They began attacking merchants and even banks by finding the low-hanging-fruit never imagined by the industry.  The hackers began targeting:

• POS systems directly connected to the Internet with weak remote access methods
• Weak or insecure wireless located at physical stores
• Insecurities in partner and vendor connections to companies
• Insecure web application software

The hackers identified, by brute force, holes in the security of an industry that were never imagined by those creating the metric for managing their risk.  When the compromises reached a tipping point, the industry began to shift the focus to security.  The banks and card brands formed the PCI Security Standards Council (PCI SSC or Council) in 2006 and invited merchants, POS vendors, and other industry experts to participate (as Participating Organizations.)

In order to realize the importance of this change you have to first understand that people do things based on incentives, and for most companies security is not something they are very willing spend money on.  This can be seen in the ever increasing number of data breaches that occur every day.  Anyone who has had teenagers can tell you that in order to “encourage” a person to do the right thing you need to properly incent them.  Regulatory compliance has been the thing that has incented companies to place an importance on information security for the last 10 years, and PCI DSS compliance has been the leading force for the last three years.

This might pass over as just another regulatory issue like GLBA or SOX if not for the fact that it’s not specific to a business vertical.  The payments industry is sometimes called a “horizontal” because it cuts across so many areas such as banking an finance, travel and entertainment, health care, power and energy, etc.  In fact PCI DSS is the first globally enforced, industry regulated, cross-industry compliance program.  It’s goal is simple: prevent the electronic and paper theft of payment card data.

But why?  Don’t you like it when we ask why?  The reason was not to do this because it’s the right thing.  We all like to say we are acting “green” by composting when really it’s just a way of reducing the cost of our garbage bill.  We want to prevent the loss of this data because someone is paying for the fraud: other merchants, acquiring banks, and many more.

So, we begin to understand that acquiring banks use the binary aspect of PCI DSS compliance as a measuring stick to determine the risk within their merchant portfolio.  Sure there are still the number of transactions, type of business, and size of the organization, but now there is the check box of security.  What does this really mean in practical terms?

Well, of all the PCI DSS requirements, the most important by all accounts is 3.2 which mandates that sensitive authentication data should not be retained post-authorization.  The other requirements for security act to protect this data from being intercepted in the first place.  The end result is that hackers should never have any access to this sensitive authentication data.

OK, so the standard exists to protect the super secret data so banks can measure how risky their merchants are to them.  This acts much like the credit rating agencies such as Moody’s and Standard & Poors.  The question is, “Are the current  metrics sufficient for measuring risk in a merchant portfolio?”

I would argue that, much like the credit rating that says “AAA”, the PCI DSS is only one part of the holistic approach merchant banks should take to measuring risk within their portfolio.  Think back to the collateralized debt obligation (CDO) market that just exploded.  People were packaging mortgages together into one security that people could then trade against.  The problem is understanding the impact that all those thousands of mortgages and the people behind them will have on the value of that one security.

In a similar way, banks need to look at PCI DSS as just one factor in analyzing the risk to their portfolio.  I’d argue that to keep the model working one should look to the Verizon Data Breach report and analyze attack vectors to determine what areas should be measured.

If we look at the data breach landscape we see the following numbers:

• 74% resulted from external sources
• 20% were caused by insiders
• 32% implicated business partners
• 39% involved multiple parties

The metrics companies and banks should use for measuring risk should include:

• Third Parties and the data they share (all three types)
• Deployment of a wireless network (proximity to acceptance channels such as POS)
• Number and size of business processes (POS network, databases, applications)
• Connected business units (call center, data warehouse, or physically insecure locations)

Individual merchants need to prioritize attack vectors.  If we know that more hacking events occur due to weak passwords or default passwords we should focus on eliminating things like “<blank>” or “password” or “<vendor name>” rather than focusing on achieving 7 character, alpha-numeric ones (which for the record are no better than 5 character ones in theory.)

I argue that we need more focus on attack vector trending threat models for regulatory compliance before we focus on the broad spectrum of security best practices.

Many people debate the efficacy, effectiveness, and overall utility of the Payment Card Industry Data Security Standard (PCI DSS).  Some people involved in this debate suffer from a bounded rationality, wherein their rationality is bounded by the few articles they read online, their perspective as a merchant, or their view as an information security professional.

I’d like to outline the good, the bad, and the ugly about the PCI DSS.  I do this not to condemn or defend any one party but instead to raise the level of conversation and debate beyond some of the fallacy ridden discussions we have been having up until now.

The Good

One thing that people do not realize is that the Payment Card Industry is unlike any other.  The reason we all talk about it is because it is more of a “horizontal” than it is a “vertical” industry.  Instead of talking about the banking & finance, agriculture, or even retail industry we are talking about just about every company that utilizes credit cards in some way.  It is the case that regulatory compliance has driven the dollars behind information security since 2001, and the greatest motivator in the past few years has been the PCI DSS.  If we like it or not, this standard has been the carrot (and stick) necessary to making companies care about securing your payment card data.

Until the PCI DSS was created (and the CISP/SDP before it) there was little to no standardized way for acquiring banks to measure the risk present in their merchant population. Sure, they could have reviewed varying security reports but none of these went to the heart of the risk matter by eliminating the retention of sensitive authentication data.  In fact, it was not until the PCI mandates for not storing such data that we saw real change in the payments industry.

Thought the original PCI DSS compliance deadlines were September 30, 2004, it was not until the Visa Compliance Acceleration Program (CAP) in 2007 that substantial movement occurred.  The CAP program provided the motivation necessary to make merchants validate they were not retaining sensitive authentication data.

Information security writer and reporter, George V Hulme, gets it and says, “I still contend, PCI DSS has done much to raise merchant security from the dismal state it was in — to the better state it is in today.”  Things are certainly getting better.

The PCI DSS has given acquiring banks, merchants and service providers a method of measuring their exposure to electronic and paper data compromise, the most important of which is keeping hackers from accessing the payment card data.  This is something that no other security standard specifically calls out.  (There exist many other information security programs but none define industry terms such as “sensitive authentication data” or “cardholder data”.)

So where would we be without the specific PCI mandate to eliminate sensitive authentication data and protect the remaining cardholder data?  Well, I argue we would have even more data breaches than we see today.  In the most recent (3.31.09) Visa Inc statistics, we see that within the U.S. all of the top two merchant levels have either validated compliance or are in the process of remediation.  This is a big change from even 3-4 years ago where many merchants had only begun to protect their payment card data.

Additionally, there has been significant work done to help the medium and smaller merchant levels.  Visa spearheaded the PA-DSS program, formerly the PABP, in an effort to provide secure payment applications to merchants who may not otherwise care about security or compliance.  If we follow the 80/20 rule, it is easy to imagine that 80% of the small (Level 4) merchants use the top 20% of payment applications/terminals.  If the industry can verify these payment terminals are secure they can help reduce the risk of data loss for 80% of the small merchant market.

The Bad

The PCI SSC has put in place a structured 2-year cycle for updating and improving the PCI standards.  These changes hope to move the standard in the direction of protecting data compromises based on evolving attack and threat patterns.  In the move from v1.1 to v1.2 we saw the addition of Requirement 6.6 in direct response to the rise in the number of web application attacks.  These are very positive moves, but I would not say everything is roses.

The PCI DSS references the need for a “risk based” approach but it is buried deep in Requirement 12.1.2, which states, “[security policies must] include an annual process that identifies threats and vulnerabilities, and results in a formal risk assessment.”  I like that it is here, but I think this sentence should be the overarching measure by which all requirements are addressed.

There have been many positives moves in this direction.  In April 2008, Bank of America released a document titled Beyond Minimum Compliance: PCI Risk Management.  Though not a risk management framework, this document outlined some Top 10 PCI Best Practices that included: becoming compliant, using secure payment applications, reducing the scope of data, validate compliance, and maintain a state of security throughout the year.  In 2009, the PCI Security Standards Council released a Prioritized Approach to Pursue PCI DSS Compliance.  This takes the PCI SAP and prioritizes each requirement based on, what I assume is, that which may prevent the exposure of payment card data to the greatest number of attacks.

The executive summary of the PCI Security Audit Procedures (SAP) should clearly state the need for a risk management methodology and approach.  Moreover, it should designate a call for action that companies create and maintain a capability and maturity model (CMM) to track their progress in reducing risk.

I’ve found that one of the major roadblocks to compliance adoption is the confusion about to what degree each requirement should be implemented.  These fears could be lessened if the risk management dialogue happened at the beginning of the standard.  Similar approaches have been seen in COBIT and even the ISO27001 (with the ISO27005 framework) to name a few.

The Ugly

What I find ugly about the industry is the continual flame wars that erupt around the standard itself.  I find that many, if not all of these, have to do with the improper implementation of the standard, or the lack of a deeper insight to the industry and the history of regulatory compliance.

Anyone who has worked in a cross section of regulatory compliance arenas can tell you that there is a major difference between government regulated industries and self-regulated industries.  With the exception of NAR’s REALTOR® Secure Program, I don’t know any other industry self-regulation that exists other than the PCI DSS.  (Branden Williams, Alex Hutton and David Mortman remind me of the HiTRUST program for the health care industry.)  This is a welcome anomaly in the world of government mandates.  Those who think PCI DSS is hard to comply with may not have dealt with GLBA or SOX.  With the GLB Act, if the Fed gives you a low rating (higher number) on your bank, they don’t fine you, they just shut you down.  The payments industry is trying to enable commerce in a more secure way than it was done before.

A favorite topic of Dan Geer is that of punctuated equilibrium.  The historical context of punctuated equilibrium has shown that without incremental action, a buildup of force can result in great reactionary action.  The simplest example of this is that of a volcano or earthquake.  In public policy and the payments industry this buildup has been noted several times.  We can see this historically where the government has intervened after the industry itself could not properly self-regulate.  The Great Depression gave rise to the Securities and Exchange Commission (SEC), the once poor food standards gave rise to the Food and Drug Administration (FDA), and we are now asking if the lack of personal data privacy will give way to a government managed compliance standard.  I argue that self-regulation with continual improvement will make faster strides towards data protection than will omnibus legislation.

People complain that the 2-year life cycle of the PCI DSS is too slow, but they must not be that familiar with the 4-year life cycle for other government mandates.  Also, changing a standard any faster would cause merchants’ heads to spin!  Though the payments industry is trying to self-regulate, this never seems to be enough for some people.

The “ugly” side of the industry is that which everyone becomes a pundit, spinning the story to meet their specific pain.  People say that PCI DSS is all about “risk transference” which is a flat out fallacy of belief.  The truth is that Issuing banks have always picked up the tab for fraud, and have long been able to recover that money from merchants via the various card brand issuer reimbursement programs (i.e. Visa ADCR).  The only thing the PCI DSS ever did was give acquiring banks (and all organizations handling payment card data) a measure against which to protect the payment card data.

This angry snarl of punditry is really the sad conclusion to our state of affairs.  I fully support those who wish to improve the industry but many times people feel that change should be revolutionary and not evolutionary.  They are quick to call your baby ugly and then tell you how to parent your child.  Everyone has their own input, and I just wish people would be more constructive with their comments, feedback, and advice.  We are listening!  I am listening!

As a final note, I’d like to remind the implementers of the PCI standards (merchants and service providers) to take responsibility for their own actions.  The PCI DSS should not be used as a stand alone tool.  Companies need to wrap the DSS in a comprehensive risk management program that is measured through time by a proper capability and maturity model.  Only by staying vigilant and continuously reevaluating our current security posture can we properly protect against the ever changing attack vectors that confront us.

Additional Reading

I also highly recommend PCI Shrugged: Debunking Criticisms of PCI DSS.  Please suggest others in the comments.