PCI is about eliminating data, not securing it, former QSA says

By Robert Westervelt, News Editor 15 Sep 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

BOSTON -- Forrester analyst John Kindervag says he's sick of hearing people whine about the payment card industry data security standard (PCI-DSS). A former qualified security assessor (QSA), Kindervag said companies often drag out compliance issues instead of dealing with them head-on.

If you find a QSA that likes the auditing process, you probably want to get a different one. John Kindervag, senior analyst, Forrester Research Inc.

"A lot of times you just have to get down in the mud and get it done," Kindervag said.

In his recent presentation at the Forrester Security Forum 2008, "The Inside Story of PCI: Confessions of a QSA," Kindervag presented ways companies can have a much smoother experience assessing their security systems and ultimately complying with PCI-DSS. He said PCI takes a different line of thinking from IT security pros and company executives, because it goes against the project-based culture of IT.

"Compliance is a marathon; A never ending marathon," Kindervag said.

To narrow down the scope of PCI, companies should first segment out network systems that contain credit card data. Next, companies need to understand not to introduce anything to those systems, Kindervag said. The easiest road to compliance: Don't store any credit card information, he said.

"PCI is a communicable disease," he said. "Anything you introduce can affect other things making them fall within the scope of PCI."

Banks and credit card carriers no longer require companies to save credit card data. Often companies save some of the data to handle returns, but there are now ways to handle a return without storing sensitive data, Kindervag said.

"PCI is not about securing sensitive data, it's about eliminating data altogether," he said.

SearchSecurity radio:

Often companies get confused about Safe Harbor, an indemnification clause given to a company after it successfully complies with PCI-DSS. It provides merchants protection from fines and compliance exposure in the event of a data breach. The problem is that companies fail to keep complying with the standard after a QSA verifies that a company is compliant, Kindervag said.

"The only way to indemnify yourself from fines is to be compliant at all times," he said. "I know companies that were compliant at one time but fell out of compliance resulting in a breach."

Preparing for an assessment
Companies shouldn't hire a QSA until they are absolutely sure they are in compliance with PCI, Kindervag said. Start by conducting a policy review. Make policies electronic by creating a Wiki, designed to making finding the appropriate PCI requirements easier and enable anyone who accesses it the ability contribute and modify content, Kindervag said.

Next, conduct a gap analysis. Focus on wireless, Kindervag said. It's an area that is constantly changing and riddled with possible security holes. Also, implement layer 2 bridging on wireless networks so you don't have to re-architect the whole network, he said. Ensure that you're collecting log data, but understand that it's a requirement to aid the card brands.

"Logging is a backup requirement," Kindervag said. "It's a great place to consider outsourcing, but it's also a good place to start a threat management program."

Finally, prioritize the difficult projects, such as network segmentation and encryption deployments.

Hiring a QSA: An insider's perspective
QSA's come in two flavors, Kindervag said, a hacker and an assessor. Find a QSA that you are comfortable with, he said.

"You should not be able to buy a rock," he said. "There's no value in that to you."

Every QSA is unique and has their own way of doing things. Understand that QSAs have no power, the acquiring banks ultimately accept the final report. Although QSA's are hired by the merchant, they are independent and in many circumstances, they're required to make an ethical judgment, Kindervag said.

Conducting an audit is a tedious and time consuming process.

"If you find a QSA that likes the auditing process, you probably want to get a different one," he said.

Most QSAs start by conducting a policy review, followed by a log report review. The QSA also conducts sample testing of company systems for cardholder data. Once that is complete, the QSA completes the report on compliance (ROC).

"If you are not compliant, everything stops and you have to start all over again," he said.

Tags: PCI Data Security Standard,  Data Privacy and Protection,  Identity Theft and Data Security Breaches,  Enterprise Risk Management: Metrics and Assessments,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT PCI Data Security Standard Chip and PIN adoption Chip and PIN adoption serves lesson for U.S. payment industry Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Wireless network guidelines for PCI DSS compliance Visa probes tokens, encryption for PCI card data protection Feds push cybersecurity jobs, PCI DSS changes ahead. Voltage, RSA spar over tokenization, data protection Experts, vendors search for PCI's holy grail Data Privacy and Protection Strategies for using technology to enable automated compliance How to prepare for a FERPA audit How to find virtual machines for greater virtualization compliance Quiz: Virtualization and compliance Compliance in the cloud Researchers predict SSNs, crack algorithm putting identities at risk How to write a risk methodology that blends business, security needs PCI compliance requirement 3: Protect data Mass. Senate seeks to amend, weaken data breach notification law Bruce Schneier and Marcus Ranum Face-Off: Should We Have an Expectation of Online Privacy? Data Privacy and Protection Research Identity Theft and Data Security Breaches Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection University data breach exposes 163,000 women to identity theft TJX thrives following breach, bucks sour economy Security expert's PCI analysis misguided, says PCI Council GM External attacks start with unintentional mistakes, survey finds

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PCI DSS (Payment Card Industry Data Security Standard )  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary