PCI is about eliminating data, not securing it, former QSA says

By Robert Westervelt, News Editor 15 Sep 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

BOSTON -- Forrester analyst John Kindervag says he's sick of hearing people whine about the payment card industry data security standard (PCI-DSS). A former qualified security assessor (QSA), Kindervag said companies often drag out compliance issues instead of dealing with them head-on.

If you find a QSA that likes the auditing process, you probably want to get a different one. John Kindervag, senior analyst, Forrester Research Inc.

"A lot of times you just have to get down in the mud and get it done," Kindervag said.

In his recent presentation at the Forrester Security Forum 2008, "The Inside Story of PCI: Confessions of a QSA," Kindervag presented ways companies can have a much smoother experience assessing their security systems and ultimately complying with PCI-DSS. He said PCI takes a different line of thinking from IT security pros and company executives, because it goes against the project-based culture of IT.

"Compliance is a marathon; A never ending marathon," Kindervag said.

To narrow down the scope of PCI, companies should first segment out network systems that contain credit card data. Next, companies need to understand not to introduce anything to those systems, Kindervag said. The easiest road to compliance: Don't store any credit card information, he said.

"PCI is a communicable disease," he said. "Anything you introduce can affect other things making them fall within the scope of PCI."

Banks and credit card carriers no longer require companies to save credit card data. Often companies save some of the data to handle returns, but there are now ways to handle a return without storing sensitive data, Kindervag said.

"PCI is not about securing sensitive data, it's about eliminating data altogether," he said.

SearchSecurity radio:

Often companies get confused about Safe Harbor, an indemnification clause given to a company after it successfully complies with PCI-DSS. It provides merchants protection from fines and compliance exposure in the event of a data breach. The problem is that companies fail to keep complying with the standard after a QSA verifies that a company is compliant, Kindervag said.

"The only way to indemnify yourself from fines is to be compliant at all times," he said. "I know companies that were compliant at one time but fell out of compliance resulting in a breach."

Preparing for an assessment
Companies shouldn't hire a QSA until they are absolutely sure they are in compliance with PCI, Kindervag said. Start by conducting a policy review. Make policies electronic by creating a Wiki, designed to making finding the appropriate PCI requirements easier and enable anyone who accesses it the ability contribute and modify content, Kindervag said.

Next, conduct a gap analysis. Focus on wireless, Kindervag said. It's an area that is constantly changing and riddled with possible security holes. Also, implement layer 2 bridging on wireless networks so you don't have to re-architect the whole network, he said. Ensure that you're collecting log data, but understand that it's a requirement to aid the card brands.

"Logging is a backup requirement," Kindervag said. "It's a great place to consider outsourcing, but it's also a good place to start a threat management program."

Finally, prioritize the difficult projects, such as network segmentation and encryption deployments.

Hiring a QSA: An insider's perspective
QSA's come in two flavors, Kindervag said, a hacker and an assessor. Find a QSA that you are comfortable with, he said.

"You should not be able to buy a rock," he said. "There's no value in that to you."

Every QSA is unique and has their own way of doing things. Understand that QSAs have no power, the acquiring banks ultimately accept the final report. Although QSA's are hired by the merchant, they are independent and in many circumstances, they're required to make an ethical judgment, Kindervag said.

Conducting an audit is a tedious and time consuming process.

"If you find a QSA that likes the auditing process, you probably want to get a different one," he said.

Most QSAs start by conducting a policy review, followed by a log report review. The QSA also conducts sample testing of company systems for cardholder data. Once that is complete, the QSA completes the report on compliance (ROC).

"If you are not compliant, everything stops and you have to start all over again," he said.

Tags: PCI Data Security Standard,  Data Privacy and Protection,  Identity Theft and Data Security Breaches,  Enterprise Risk Management: Metrics and Assessments,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT PCI Data Security Standard New data protection laws No major PCI DSS revision expected in 2010 PCI QSAs, certifications to get new scrutiny The future of PCI DSS encryption requirements? Tokenization for PCI MasterCard reverses PCI compliance requirement PCI DSS compliance help: Using frameworks, technology to aid efforts Chip and PIN adoption Chip and PIN adoption serves lesson for U.S. payment industry Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Data Privacy and Protection New data protection laws MA 201 CMR 17 enforcement less likely with prompt reporting, cooperation Information security book excerpts and reviews Quiz: Compliance-driven role management Interpreting 'risk' in the Massachusetts data protection law Strategies for using technology to enable automated compliance How to prepare for a FERPA audit How to find virtual machines for greater virtualization compliance Quiz: Virtualization and compliance Compliance in the cloud Data Privacy and Protection Research Identity Theft and Data Security Breaches MA 201 CMR 17 enforcement less likely with prompt reporting, cooperation No major PCI DSS revision expected in 2010 Data breach costs continue to rise in 2009, Ponemon study finds Chinese hacker attacks target Google Gmail accounts, top tech firms Facebook, McAfee partner to fix social network security issues Hacker pleads guilty to orchestrating Heartland credit card heist MasterCard reverses PCI compliance requirement Verizon report goes deep inside data breach investigations Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PCI DSS (Payment Card Industry Data Security Standard )  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary