Chaordic Mind

This post clarifies an earlier one “Considering an Opt-Out Program on PCI Validation“ and helps explain how PCI compliance validation is changing based on risk measures present in the merchant’s environment.  Regulation and deregulation cycles happen in response to market forces.  In this case selective deregulation is happening in the form of reduced validation based on risk and fraud reduction measures present in merchant organizations.

Present State

When many companies think of PCI compliance they immediately think of a third-party QSA auditor.  For mature organizations this is the old way of thinking as both Visa and MasterCard permit merchants of any level to self-assess.

• Visa (Inc. and Europe) permits a report on compliance from an internal auditor provided it is signed off by an officer of the corporation.
• MasterCard permits self-assessments but internal auditors must “attend PCI SSC ISA Training and pass the associated accreditation program”

Although organizations must validate annually, they are relieved of this in the following  situations (as noted by Simon Sharp):

• Visa Inc.: merchant does 75%+ EMV transactions = no requirement for ongoing external assessment (major abbreviation)
• Visa Europe: merchants meet 1-4 milestones of Prioritized Approach are in a safe harbor even if breached (major abbreviation)
• Visa Asia: merchants who implement end-to-end encryption or process EMV chip transactions in countries where iCVV penetration is >75% have the following options:
  • Validated compliance with milestones 1-4 of the PCI SSC’s Prioritized Approach are recognized as fulfilling Visa PCI DSS validation requirements.
  • Attested to not storing prohibited data and process EMV chip transactions in markets where iCVV penetration is higher than 75 percent – you may define merchant level by the annual volume of non-chip transactions.

Reducing Risk = Reduced Validation

Visa Inc’s Technology Innovation Program (TIP) notes organizations that reduce fraud risk using technologies such as EMV (Chip/PIN) no longer need to validate compliance annually.  Visa Europe has their own version of TIP that goes a step further to say that for merchants who validate against the Prioritized Approach 1-4, Visa Europe will:

• waive penalties for non-compliance or non-progression
• grant ‘safe harbour’ from penalties and allocation of incremental counterfeit fraud losses in the event of a data compromise

Sure there are caveats and I’m not certain what “allocation of incremental counterfeit fraud losses” entirely means, but the idea that a merchant will achieve safe-harbor from anything is a pretty big carrot with which to lead merchants.

Certainly the pendulum has moved from encouraging compliance to encouraging risk and fraud reduction.  To this end the Visa has changed from incentivizing compliance, via the Visa CAP program in 2007, to incentivizing risk and fraud reduction, via the Visa TIP programs in 2011.

PCI Deregulation

Perhaps it’s premature to say that PCI compliance as an industry is in a deregulation phase.  Clearly PCI compliance for regions that have not seen wide adoption such as Asia/Australia still need movement towards full compliance and validatoin.  Conversely, if a merchant has >95% of transactions using EMV (Chip/PIN) with iCVV and CDA authentication – the need for PCI compliance may be limited.

Although deregulation may never fully occur, the need for annual third-party validation is no longer necessary for companies that have either: reduced the risk to payment card data or have highly-mature internal controls and validation capabilities.

Abstract

As regulation-deregulation cycles rise and fall, it is important to understand how the evolving landscape of compliance impacts your future. This post proposes maintaining compliance but making validation an opt-out optional component – a radical change from the status quo.  Evidence already suggests the industry is moving in this direction and changes to compliance are necessary for the continuance of risk management.

Please understand that when I say opt-out, I am referring to mandated external, third-party validation requirements. I think internal validation is more important than ever.

Special thanks to idea people: @lennyzeltser, @mckeay, @alexhutton, @kindervag, @joshcorman

Background

I recently read Lenny Zeltser’s blog titled “Could Regulatory Compliance Encourage Weaker Security?” This is a valid question and one that needs addressing. The question can be rephrased as, “Who does compliance work best for?” To answer that question we need to understand why compliance exists.

In a blog post I wrote on How Compliance Regulations Gets Made we focus on the natural regulation-deregulation cycles and how they exist in response to an increase or decrease in data breach/loss. The ultimate goal of compliance is to set a baseline of standards within an industry. The question Lenny raises is one I’m often asked by opponents of such standards, “what about the big/little guy (who do not fall within the Bell Curve norm for best practices)?”

It’s true that regulatory compliance is targeted not only at setting a minimum standard for technical security (firewalls and IDS) but also a minimum standard for security maturity (policies and procedures) within an organization. So let’s think about this graphically. There are four quadrants within which to place organizations: those with either high/low-level of security and high/low-level of maturity.

Security vs Maturity

For the purpose of this conversation let’s assume that maturity encompasses the Check and Act aspects of the PDCA Cycle and security refers to the Plan and Do components. The reason I break it down this way is to directly reflect the results of the Verizon PCI Compliance Report (PCIR). This report found that:

“Organizations are better at planning and doing than checking. If the check phase is broken, they cannot act to maintain the state of security over time.”

The Verizon PCIR found that organizations are great at Planning and Doing but not great at Checking and, as a direct result, Acting on those changes. To me this disconnect is the difference between organizations with a high-level vs low-level of maturity within their security practice.

With this in mind, let me suggest that regulatory compliance standards should most impact those organizations with a lack of either security or maturity, but not both. So let’s break this down and the types of organizations they embody.

1. High-Security / Low-Maturity: These companies care about security but have never documented policies and procedures. They have log management systems but have slowly stopped reviewing them. Regulatory compliance can have a positive impact here.
2. Low-Security / High-Maturity: These or organizations run well but with little funding for sorely needed security projects. There has never been a “hammer” to drive spending. Regulatory compliance can have a positive impact here.
3. Low-Security / Low-Maturity: These are organizations that do not care about security or compliance. Perhaps they are too small (mom-and-pop companies) or those that will validate compliance but never maintain it through the year. There is no changing these companies and little that compliance can do for them. Validating compliance for them is a waste of time and money and since there is no driver to maintain a state of security.  (Instead new technologies such as tokenization, end-to-end encryption, and validated payment applications will have the highest impact here.)
4. High-Security / High-Maturity: These are companies at the top-tier of their breed. They don’t manage security, they manage risk! They adopt and implement custom risk management solutions based on careful analysis of data classification and impact analysis reports. These companies see regulatory compliance as a roadblock and implementing industry “best practices” as a deviation from their perfect path.

I propose that regulatory compliance will most help groups 1 and 2, but not groups 3 and 4.  (Unless you consider regulatory compliance the driving force for said technologies above, though I would argue data breaches and word of mouth have a higher impact here than compliance.)

Although I believe in the need for increased education, flexibility of controls, and more data for risk modeling – I’m going to save us a bit of time and skip to the chase.

• Companies in group 3, who do not care about compliance or security, will not change their tune by forcing them to validate compliance.  Instead the end result will most likely be in them checking a box and ending up in the 80% of companies (see: Verizon PCIR) that do not maintain their state of compliance.
• Companies in group 4, who care passionately about risk and security, need a reprise from continually validating against a standard that is built for the average individual. Although, the stated way to address this for PCI compliance is through documenting a set of Compensating Controls, what other options do we have out there? What other ways are there for such companies dealing with compliance validation?

Remember, the stated goal of regulatory compliance, taken from regulation-deregulation cycles, is to reduce the number of data breaches and data loss. In both groups 3 and 4, continual validating against a standard may, in my opinion, have little to no impact on the number of data breaches/loss. The reason is that group 3, though validating will not maintain that validation, and group 4, treat validation as an exercise in documentation.

Other Options

On February 6, 2011, Visa launched its Technology Innovation Plan (TIP) “to recognize and acknowledge merchants in Visa Inc. regions outside of the United States that have taken action to prevent counterfeit fraud by investing in EMV technology.” (Since Visa Europe is a franchise, the “outside the US” may only apply to Asia-Pacific and Latin-America & Caribbean, but it’s a bold change we should view as the tip of an iceberg.)

In essence, they are saying that organizations that have achieved the following, need not continue to validate their compliance against the PCI DSS standard:

• Implemented a sufficient level of controls so as to reduce fraud* (see: EMV)
• Validated their state of compliance once
• Have not suffered a data breach

* Yes, fraud is discernibly different from data breaches but one leads to the other and as a result are interconnected.

Wow, what an innovative approach. I’ve talked about the TIP program with industry insiders and they are mostly in agreement that we don’t know if this will result in positive or negative changes. I feel it will be a great success and here is why.

Opting Out of Validation (Not Compliance)

Presently companies that validate their state of compliance need to submit two things: a validation document (either a self-assessment questionnaire or a report on compliance) and an attestation of compliance (AOC) document. The AOC is nothing more than a memo that reiterates that organizations commitment to following the payment-brand rules for protecting payment card data.

I think organizations that choose to opt-out of compliance validation should still need to sign the Attestation on Compliance (AOC) to reaffirm their social contract and commitment to protecting payment card data. If they fail to achieve this within their, alleged, super-robust security and risk program then they deserve to undergo the same forensic review and financial implications that come with any other organization. If they instead achieve in protecting payment card data and are able to repel the wily-hacker then they should continue their reprieve from annual compliance validation (perhaps they can externally-validate every 2 or 3 years).

The reason I suggest this is because, and here’s the kicker, you cannot tell the difference between a PCI compliant organization and one that has let security and compliance lapse until they experience a data breach. Until that point, both organizations appear, from the outside, to be operating in the same manner.  (Sure, you can tell a difference internally, but so far very few organizations that achieve compliance once organically maintain it year-over-year.)

But Wait – It Already Exists

The PCI Council has already rolled out the Internal Security Assessor (ISA) program and MasterCard has begun listing this qualification as part their validation program requirements.

“Effective 30 June 2011, Level 1 merchants that choose to conduct an annual onsite assessment using an internal auditor must ensure that primary internal auditor staff engaged in validating PCI DSS compliance attend PCI SSC ISA Training and pass the associated accreditation program annually in order to continue to use internal auditors.”

(Ok, so Visa has not adopted the same stance and companies that store, process, or transmit payment card data for both brands must adhere to the minimum standard for both, but still it’s a change.  Also, the payment card brand validation guidelines are guidance for the acquiring banks who have the ability to manage their validation programs on a case-by-case basis.)

This means that many organizations (there are exceptions) who wish to opt-out of formal validation can do so leveraging their internal assessor team.

Conclusion

What we have is a directional movement towards, what I will call, selective deregulation. Step 1 is the PCI SSC ISA program.  Step 2 is the Visa TIP program.  What is the next step? The only way to know is to wait and see.

I’m not proposing that we do away with validation entirely, but instead that we move into a hybrid approach towards validation that is based on risk, maturity, pas performance, and future commitment.  The market has spoken and the Council and payment brands are already responding.

My suggestions for you?

If you fall into category 1, 2, or 4 above – prepare the following:

• Develop a “heat map” of your internal risks, data types, and exposures
• Adopt a risk management strategy, however rudimentary or advanced
• Attend the PCI SSC ISA training ASAP

If you fall into category 3 above – investigate the following:

• Are you using a PCI validated payment software and hardware?
• Are you using PCI DSS validated service providers?
• Are you area of technologies that reduce the need for PCI compliance such as: tokenization and end-to-end encryption?

In April 2010 I’ll be at SOURCEBoston on a panel discussing how compliance regulations get made.  This got me thinking about how to explain in simple terms such a complex series of events.  I’ve previously discussed the question of “why” regulatory compliance is important and it’s relation to vaccinations.  Here I’d like to discuss the “how” of regulatory issues.

(If you’d like to hear about this and other PCI related issues then register for the BrightTALK PCI Compliance Summit on March 25, 2010.)

There are so many debates about the pros and cons of regulatory compliance but they all focus on the individual and not the population as a whole.  In fact, the best way to model and examine the evolution of regulation and deregulation is through the eye of the scientist examining the entire population of players.

Background:

Let’s take a look at the history of regulation and deregulation.  The following are a few industries that have experienced both regulation and deregulation over the years, but the list may as well also include industries such as agriculture, telephone, communications (radio, TV, cable), medical and pharmacy.

• Airline
  –Civil Aeronautics Board (1937)
  –Airline Deregulation Act (1978)
• Railway
  –Interstate Commerce Commission (1887)
  –Railroad Revitalization and Regulatory Reform Act (1976) / Staggers Rail Act (1980)
• Trucking
  –Motor Carrier Act (1935)
  –Motor Carrier Regulatory Reform and Modernization Act (1980)
• Energy
  –OPEC price hikes (1973)
  –Emergency Natural Gas Act (1977)

Each of these industries experienced a need for regulation and eventual deregulation in order to keep in check the potential for large problems that could impact large numbers of people (e.g. monopoly, poor conditions, unbound risk, lack of consumer protection).  In 1935 Congress passed the Motor Carrier Act that gave the Interstate Commerce Commission (ICC) authority to regulate trucking involved in interstate commerce.  When the confines of this regulation outlived it usefulness the tides turned.  From 1971 until the eventual passage in 1980 politicians worked to remove barriers to entry into this industry and finally passed the Motor Carrier Regulatory Reform and Modernization Act.  This migratory pattern of regulation and deregulation occurs regularly in many industries.

Pattern of Data Loss

It is no surprise to anyone that there is a building momentum of data loss.  We can gather individual statistics from the news or get detailed statistics from DataLossDB.org.  Either way we notice a pattern of attacks and rising numbers of data breaches that make us ask, is the situation getting better or worse?  Is what we are doing having the desired effect?

It’s very difficult to answer that question since the problem is multi-factorial, but there are signs that things are getting better.  As fraud shifts from one industry to another and one method to another we are slowly driving it from the system.  (This type of analysis does not as easily apply to authentication/identity fraud, but may very well when it comes to system infiltration and data exfiltration techniques.)  For example, we see attack vectors moving from one method to another and from one geographic region to another.  Attackers originally stole data from flat files but when those were encrypted the attackers began capturing data as it traversed the network.  When this was encrypted they began installing custom malware to capture data in memory.  Slowly the system are moving from system protection, to network, to software, and finally hardware protection.

As protection system such as Chip-PIN were implemented across Europe and Asia we saw a drop in card present fraud as the attackers moved to online and e-commerce fraud (via UKPA or APACS).  The attackers adapted to the system and moved on to other low hanging fruit.

History of Regulatory Time

I can’t really do justice to replicating the work of David Lineman, of  Information Shield, so I’ll simply reference his paper “A History of Regulatory Time” and reference his graph showing a timeline of security privacy-related regulations.  Take a look and map the regulations below against the major data breaches of recent and we begin to notice the correlation of regulation in reaction to the rise in tide of data breaches.

Inflection Points and Traffic Jams

Simply analyzing data breaches and their respective reactionary regulation doesn’t paint a precise picture of how the regulations are formed, only that they are somehow correlated.  To understand this we need to first understand a little about math.  Inflection points are the change in slope from an increasing value to a decreasing value or vice versa.  In terms of data breaches we can consider if the number of data breaches, though currently increasing, has a slope that is increasing or decreasing.

Andy Grove, founder of Intel, said in his book Only the Paranoid Survive that “An inflection point occurs where the old strategic picture dissolves and gives way to the new.”  We need to focus on this inflection point in order to understand and if the increasing numbers reflect a state of growth or decline in a system, which we are (unfortunately) only able to measure over time.

In fact, this concept is familiar to physicists in the term “hysteresis“.

For example, consider a thermostat that controls a furnace. The furnace is either off or on, with nothing in between. The thermostat is a system; the input is the temperature, and the output is the furnace state. If one wishes to maintain a temperature of 20 °C, then one might set the thermostat to turn the furnace on when the temperature drops below 18 °C, and turn it off when the temperature exceeds 22 °C. This thermostat has hysteresis. If the temperature is 21 °C, then it is not possible to predict whether the furnace is on or off without knowing the history of the temperature.

The question we always ask is “Where are we on the Sine Wave of Pain?“  Is the rate of negative events increasing or decreasing?  The only way to know is gather and map data as well as measure trending patterns in the industry and make calculated estimates as to which it is.

One thing for sure is that the population not the individual is what drives regulation and as such it is the population that examined the rising data loss numbers and determines when they want change.  It is this demand for change that ultimately initializes the regulation engine to affect what the individual cannot directly.

Traffic Patterns and Modeling

Still, all we have shown at this point is that a culmination of actions can result in change brought upon by the populous.   How that change is enacted is an area of great interest and one that draws from, of all things, traffic patterns.  Before getting into that I’d like to reflect on different types of phase shifts seen both in nature and fiction.  We are all familiar with the concept of ice melting into water which freezes into ice.  It was Kurt Vonnegut who in his book Cat’s Cradle first proposed the fictional concept of Ice-Nine.  This was said to be a polymorph of water that freezes at 45.8 °C (114.4 °F) instead of 0 °C (32 °F).  The idea being that ice could maintain its ice form even at room temperature which is around 20 °C  (68 °F) to 25 °C (77 °F).  In the book, it would take only a single fragment of “ice-nine” to come in contact with the ocean and they would all instantly freeze.  This shows how a seemingly stable system can react suddenly when given the proper catalyst.

A common method of modeling traffic patterns is the Nagel-Schreckenberg (NaSch) model.  (For more detailed information on this model I recommend reading Traffic Simulation using Agent-Based Modelling by Andrew Lansdowne.)  The diagram to the right shows this model in that the traffic flow (y-axis) is measured against the traffic density (x-axis).  You can see that as the traffic density increases the traffic flow increases.  This continues until point “A” where we reach the critical density.  This is the density at which a chance can occur but not at which it must occur.  If everyone continues driving along at the same rate the density can increase until a critical event occurs that breaks down the system.  An example could be one person applying the breaks which then causes the person behind them to do the same, and on and on.  Point “B” is the moment at which the critical event occurs.  At this point we see the traffic flow decrease representing the slowing of traffic until the density is so high it stops (point “D”).

One interesting feature of this series of events is that the traffic flow pattern will always exist in a cycle moving from point A to B, to D and back to A in that order.  Traffic will never go from D to B because doing so requires it to first traverse A.  Remember that term hysteresis?  In the book Critical Mass by Philip Ball he states, “A state of traffic depends not only on its density but on its history – on whether it was previously denser or less dense.  As the traffic rate rises and then falls, the flow rate follows a loop.”

We can examine the graphical flow of data in another form by mapping space on the road (x-axis) against time (y-axis).  As you can see in the second diagram, we map the position of each vehicle over time.  Until the density decreases the traffic jam will continue.  Here the traffic jam is visible in the very dense points as a diagonal across the diagram.  Once the density decreases we once again see a greater flow of traffic.

What’s the Solution?

As you can see, modeling traffic patterns can be very similar to the regulation and deregulation of an industry.  So what is the solution to an increase in incidents that push us past the critical density?  Contrary to initial though the solution to high traffic is not to simply build more roads.  In fact, Richard Moe, Head of the US National Trust for Historic Preservation, once said “building more roads to ease traffic is like trying to cure obesity by loosening the belt”.  Simply applying ‘more’ security does not mean you achieve ‘better’ security.

I propose the following approaches:

• Help prevent data sprawl :: Security is required where data is maintained.  Does your environment reflect the “data, data, anywhere” or “data, data, everywhere” philosophy?  Do you know where all your data is? Does it exist in more locations than is necessary?  Check these items and set measurable actions to correct it.
• Examine use cases :: While medical record data requires persistence, payment card data is only used once and then not ever again.  The use cases are simple enabling a flexible set of measures to secure the data.  If your business model does require retention of data then examine what data you are retaining and make sure it’s as benign as possible.
• Brute force is effective but costly, while the elegant solution is simple and secure :: Have you ever considered replacing the data you retain with a reference number instead?  I recommend you read up on technologies such as point-to-point encryption and tokenization.
• Solve tomorrows problems with today’s technology :: Problems are not hard if you know which ones to solve.  I recommend absorbing and comparing as many of the data breach reports (more) you can to determine what emerging attack patterns exist in your industry and how to prevent them.  If you are only able to implement one set of technology each 10+ years then make sure it solves tomorrows problems and not yesterdays.
• Plugging one hole doesn’t save the levee :: Reducing card present fraud drives attackers to e-commerce.  Reducing fraud in one country drives them to others.  Only a holistic solution will work on such interconnected systems.  This is one of the arguments for industry regulation.

3 Habits of Highly Effective Regulation

In the end there are three attributes, or habits, that make regulation effective in achieving adoption and acceptance.

1. Education, education, education :: This is the single most effective method of driving adoption.  People want to know how to interpret, implement, and adopt the regulation to their business model.  I’ve seen more people fail to start because they didn’t know where to start than anything else.  People want to know if they can use a $0.10 piece of duct tape or if they need to replace the entire engine of the car.
2. Flexibility of controls :: This is an attribute of so many regulations due to the fact that they apply to such a range of companies, industries, size of organizations and the like.  Remember that 100% compliance is not the goal when system failures occur in groups.  The PCI DSS has what’s called “compensating controls.”  The EU Data Protection Directive has the “comply or explain” concept.  Even the ISO 27000 series do not mandate 100% adherence to each and every control.
3. More data for Risk Modeling :: Let’s consider this without getting into a debate over Frequentist vs. Bayesian statistics (as I’ll leave that to Alex Hutton).  The more data we have the more closely we can make educated decisions about how to evolve the standard, protect against failure, and make deterministic decisions about how to proceed.  More data will help us understand when we have reached an inflection point and ultimately determine when the rising regulation turns toward deregulation.