Is PCI DSS effective? Are there unintended consequences? Mike Dahn, head of PCI Compliance at Verizon and Joshua Corman, director of security research at the 451 Group discuss how PCI DSS has changed the security landscape and how the standards can be improved.
This video is part of SearchSecurity.com's new "Eye on" series that brings together various perspectives on security topics throughout the year from SearchSecurity's sister sites, including SearchCloudSecurity.com, SearchSecurityChannel.com, SearchSecurity.co.UK and SearchSecurity.IN. In the month of March the series examines PCI DSS.
Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact firstname.lastname@example.org.
PCI DSS Compliance: Debating the benefits, unintended consequences Part 1
Robert Westervelt: Hi. This is Rob Westervelt, the News Director of Searchsecurity.com.
Thanks very much for watching this video. There has been a lot of discussion over
the last year, or so about the payment card industry data security standards. With me
are two gentlemen that at first were at odds over the payment card industry standards,
but now have come together and found some common ground. Joining me is Joshua
Corman. He is research director at the 451 Group.
Josh, thanks very much for joining us. Also joining us is Mike Dunn. He’s director of
PCI Compliance at Verizon. Thanks very much for joining us.
Mike Dahn: Thank you.
Robert Westervelt: Josh, why don’t we start with you? I know you’ve talked a lot about
the need for empirical data that supports whether PCI actually works. Are there metrics
out there that support that the payment card industry standards are actually improving security?
Joshua Corman: I think the is it working question was well covered territory in the last
year of our debates. A lot of people have been listening to the three part podcasts, and it
really has made them think on either side. They went from blind hatred of PCI, or blind faith
in PCI, to a little bit more intellectual involvement, and we did discuss quite a few of these things.
Certainly we believe that more data, we have some good data from Verizon, we some other
reports from Ponemon, Trust Wave, and others, and we’re trying to take a look at that.
But, the debate really isn’t, is it working, or isn’t it, anymore. We want to move past that.
The truth is we have to deal with it, and I think where we found some common ground
is the degree to which we can foster more analysis of its intending consequences,
its un-intending consequences. The degree to which you can foster more data gathering,
we’ll have the information to know how to take it from whatever level it’s at. We should
measure and assess the level of impact it’s having, good and bad, and push it forward,
because the complacency and stuckness is where people on both sides of the debate agree.
We want to advance this, and improve it.
Mike Dahn: Yeah. I think it’s important to not ask, is it working, but are we making
it work for us, right. Like Josh said, it’s here; it’s something we’re dealing with.
Understanding why it exists is really important, in the first place. I like to talk about
compliance kind of along the lines of vaccination, right. People think it’s good for the society,
but not necessarily good for me. So, if it’s good for the society, how can we make it good for us?
How can we better understand it, so that we can move forward with solid security practices,
and make compliance more of a byproduct that comes naturally instead of the end goal?
Robert Westervelt: You’ve said the world we, and you said, are we making it work for us.
Are you referring to the security industry, or are you referring to those behind PCI, the card
brands, making it work for us?
Mike Dahn: I’m actually referring to the individual companies. Compliance is something that
tries to raise the bar for an entire industry, and there are pros and cons to that. But, I think that
as the bar is raised, or as the tide comes in, we want to make sure that we have our
boats set appropriately to float it, right. I think it’s important that we see all these rules
and regulations, and instead of getting tangential, and going down the path of, alright,
I’m going to make compliance an end goal, we have to remember what are long term
focus is compliance will come and go, but it’s important that we make risk management
that end goal, always.
Joshua Corman: Yeah. I think a lot of the concerns that I had is that although,
in principle, PCI would take people who had previously been doing nothing, and
start their path towards risk management. I think in actuality we saw, and encountered
lots of folks, who had previously been doing a fairly decent job, and felt, actually, it had
hurt their ability to spend beyond what their CIO would give them for the check box.
So it created the opportunity of there is discretionary spending, and mandatory spending.
During a bad economy very few got any discretionary spending. Even just last week I had
lunch with a CISO of a large insurance company, and he said they’re not spending a
penny protecting their corporate secrets. All of his budget and time is simply doing the
custodial data. So, I agree with the spirit of helping them start a disciplined program
for risk management and we need to make sure that we’re doing that, and not simply
finding ways to find the fastest, cheapest way to get the auditor out of there. I think that’s
maybe the challenge going forward. We’ve had some progress. We’ve worked some
kinks out, but as other regulations, or changes come in, people are going to need to
self regulate, and continue that path because this standard isn’t going to spoon feed
them the whole way.
Mike Dahn: Yeah. I agree. We don’t want to be zigging and zagging every time there’s
a new regulatory issue. You had interviewed Martin McKay, and Gene Kim, and of the
things that Martin said was, do we need new technology. No, we didn’t just start using
the stuff that we have, and I think that’s really key. As people approach compliance as
an end goal, they like check marks, instead of thinking about only the very simple ways
they can reduce risk. If you look at the Verizon data breach report, you can look at just the
items that could potentially be done to help reduce, or mitigate a large percent of the risk,
and that’s not a large cost. It’s talking about things like reducing scope, segmenting the network,
things that aren’t necessarily in the compliance regulations at all. This is what I was talking about
moving beyond compliance. Instead of looking at the one, two, three, four until 12, identifying
those items within your individual environment, which is going to be custom per organization,
to how you can mitigate the most risk with the cheapest amount of dollars.
Joshua Corman: We can respectfully disagree, but I do disagree with what Gene and Martin have said.
I don’t believe that we should just use the wrong things better. I’m not saying they’re wrong,
but this is why we need the data. One of the great sources of data is the Verizon data
breach reports. You look in it, 94% of the records involve custom malware. Well, what is
PCI required to pass the box? It’s a signature in the virus. We know that doesn’t work.
A lot of this is about patching more quickly. Zero of the breaches involved a patchable
vulnerability last year. It doesn’t mean these things are useless, and we should stop patching.
What it means is when you have adaptive adversaries, with motives, the game will change
as we improve certain areas. It’s really, to me, about let’s get a lot more data and find out
that if we only have X budget, we don’t spend 90% of it on stuff that doesn’t really stop
even an amateur attacker.
Mike Dahn: Yeah.
Joshua Corman: Right now it’s conjecture, that’s why we need more data, you know.
I tend to think that most of those controls are pretty easily defeated. My initial position
on this wasn’t to decide, is PCI working, or not. I was more concerned about the fact that,
although it was intended to help with custodial data, it has impacted the spending in the
entire security space towards them.
Mike Dahn: I think that you have to, again, see the forest through the trees. There’s
going to compliant, regulation, and deregulation cycles that exist, so we can’t glom
to PCI, HIPAA, Sarbanes-Oxley, or something like that, right, to somehow be our
end goal. I don’t want an organization, when I ask them what’s your 2011 security strategy,
for them to say well, let me have my compliance assessor come in, find out where
the gap analysis is, and then I’ll tell you. New technologies are great, but the thing is
are we using them effectively? I really think that it’s important that, just like Josh says,
we need more data to find out what is causing 80%, 90% of the data breaches per your industry,
per the size of your company, the type of data that you’re handling, and then, specific to those
Venn Diagrams that intersects with you, identifying what specific technology, or even just
what things you can do with the technology you have to reduce those. I’m a big advocate of
being technology agnostic. It’s not about the next new thing that you’re going to zig
and zag whenever new technology comes out. You don’t want to be reactive,
you want to be proactive. And by being proactive it’s about getting more data,
and that’s one thing that we’re lacking severely in the industry right now.
Joshua Corman: It’s also some people mishear when I say we’re using older things,
that newer equals better. Some of these newer technologies are very sophisticated, and
you would get zero value unless you had really talented staff that knew how to extract
value from it. It’s more a matter of, at this point, I feel that we, as an industry,
and PCI has helped to reinforce this, we’re looking for very specific things from a
very specific type of attack, or attacker in the past. I think the more successful organizations
are more broadly increasing visibility so they can see things sooner and react more quickly.
There is log management in PCI, but one of the things we’ve learned is that people
aren’t looking at their logs. I’d like to work within the existing framework to help people
understand the true spirit and intent, to maybe make a few refinements on the things that
are fuzzier and we might be able to make the best of what it is while we collect more data
and maybe replace certain items, instead of saying 'use this old technology, which is easily
defeated.' We say 'let’s be more observant and diligent, and be able to react more quickly.'
Mike Dahn: The Verizon PCI compliance report says very much the same thing. It identified
that the things that people are missing are things like, audit log review, anything that
requires manual intervention or reoccurring activity. No surprise, but why are we still,
you know, stressing about security, or dealing with security? Some of it is due to
new attack vectors, but a lot of it is just due to the same things that we’ve been struggling
with for a long time, right. We’re not doing audit log management well. We’re not reviewing.
We’re installing a web application firewall, and then not reviewing the logs, you know.
It’s some of the basic things that we need to get better at, and I think that you get better
At those by building in some type of capability maturing model that moves
you incrementally towards a more secure infrastructure than, you know, zigging with a
new technology, and zagging with a new compliance rule.
Joshua Corman: Yeah. Now that we’ve got the world understanding how to pass an
assessment, we should help them to improve the yield they get from those investments.
Some people looked at the web app firewall in 606 as optional, and it is optional but
people should probably be exercising that option given the data we see out of Verizon.
I mean, 89% of the records involve SQL injection, a 10, 11 year old threat. So, had we
not added that it was actually a good move adding the WAP and SDL requirement,
because had we not, if all the attacks are a layer that the other tools can’t really see
or intercept, then we would have continued to have a blind spot. That’s just an example
that somewhat we need evolve, not just a point solution every time there’s a new threat,
but more tamable, scalable vigilance, and more of that OODA loop, conserve, orient,
decide act. We should teach them not to buy the tools, but how to use them,
and you drive value from them.
Robert Westervelt: Mike, let me ask you, do you think PCI is going to be able to
stand on its own moving forward? What point are we at? Are there going to be
maybe something coming from the Feds to kind of oversee PCI?
Mike Dahn: Sure, sure. PCI was actually one of the very few industry driven
compliance programs. Most all the others that we see are driven from state, federal government,
something like that. I think that PCI has really helped hedge that aspect of it needing
to be taken over from a government perspective, but we’ve already seen that. People
are waiting for a long time for some type of omnibus legislation around data privacy.
We’ve already seen that in terms of all the state data breach notification laws. We’ve
seen that in terms of other regulations and requirements that are coming out from the
federal government. I think the important thing to do is to not be clouded by the different
rules that exist. So many things happen. It’s not just the technical cloud that we see, but
also the compliance cloud. We’ve got different state laws, we’ve got the national laws,
Sarbanes-Oxley, HIPAA, GLBA, PCI, and sometimes it just becomes overwhelming.
I think that it’s not that we should ignore those in any way, they’re important for very
specific aspects, but we need to develop a security strategy that addresses the known
data that we have, like Josh was saying, and we need to make sure that we’re doing
those from a diligence perspective. I think it’s really important that we’re aware of compliance,
but we’re not focusing on compliance.
Joshua Corman: We don’t want people to be complacent and passive, just taking boxes.
We want them to be engaged and understanding how to survive as things change,
and if they’re not changing very often, that’s great but how do we advance us from
good to better, and best. I think we’re starting to work together as well as went from
fighting last year to now, when I have a new model, I call him up, and he makes it a better model.
Mike Dahn: Right now, we’re very aware of regulation. I think that if we were to put
a little bit of effort into some kind of heat map of our organization, looking at all the
different business units, and seeing at high, medium, low the impact that each of those
business units will have with respect to PCI, or from a data breach, or from something,
we can look at those, and focus in on those that are most important instead of saying,
“I need log management, encryption, or something else”. Looking at the heat map of
the organization, and saying where can my security spending be the most effective,
because I think that’s one of the things we’ve talked about, and that I agree with Josh
about, is that we can’t just carpet bomb information security, right. We cannot continue
to do that, so if someone comes to me and says, well I spent a hundred million dollars on
security, or compliance and It’s not effective. That doesn’t say anything to me. I can go
to Vegas and spend a hundred million dollars you know but am I doing so effectively,
and in the economy that we’re coming out of I think that’s more important than ever.
Robert Westervelt: Josh, hearing so much about cloud computing, as an outsider,
do you think that PCI can adequately, at least at this point, address cloud computing?
Joshua Corman: People that understand the technology and the intent of PCI
can find ways to do it, where you’ve seen several clouds claim that they’re the first
PCI compliant cloud. I think that’s a little bit dangerous when you actually talk to the
council. The cloud’s not compliant. They’re pre-validated on certain components.
Only the tenant and the management of that compliance can be compliant. It’s not like
Amazon is going to look at your logs everyday for you so you maintain your compliance.
I think there’s’ some confusion in marketing. The other concern we tend to have about the
cloud compliance claims is that, clouds are starting to use PCI as a shorthand for we’re
secure. Because it’s more specific than a SAS70, and, although we keep saying for years
now that compliance does not equal security, the cloud vendors are beginning to message
as if it does. I hope that compliance isn’t the high water mark of our security as we move
things into public clouds. This is something we need to watch closely, be careful about,
and ask more questions when a cloud provider claims they’re compliant, which usually
means that they’re helping you to be compliant, and the things within their sphere of
control have been done for you, and validated in advance, but it doesn’t’ mean that you
Robert Westervelt: Mike, I know you’re very heavily involved with the QSA program.
Can the program actually keep up with all of these new innovative technologies?
Joshua Corman: I think Mike can, but I don’t think it’s part of the QSA training, or anything.
Mike Dahn: The QSA training a lot of it really is to give someone the right information,
and equip them with the right intent of the requirements to go forward and do the right thing.
I think one of the biggest that came out, in terms of PCI training. Is the council,
the internal security assessor program, basically training the other side of the table.
For years we were training people on one side of the table, equipping them with all the
knowledge, now we’re leveling the playing field so to speak. We are training the merchants,
service providers, the people that are sitting on the other side, and I think that it needs to
go up an exponential step further into training potentially all of the people within the
organization. Not just about, when it says penetration test what does it mean, or when I
have to properly secure my firewall make it so the firewall administrator understands that.
But permeating the understating of risk into an organization. Why do organizations thrive?
If there’s some type of fostering of success within the organization. Organizations like Google,
and Microsoft, where people just love to go into work, and they love to work. I want people
to have a really strong understanding of risk. So that when the assessor comes in and says
"Have you properly configured your devices?”, they can pull out that risk assessment,
or point to a heat map that was done, and say look, yeah, we actually have, we didn’t
just kind of off the cuff do something, we understand what risk is, we understand
how important this data is, and that some of it, if we can remove just parts of it,
can reduce the financial liability by exorbitant amounts. I think that I want those
types of conversations to be had, not just the intent of the requirements,
because the requirements will change, they’ll evolve, those types of things.
But really have organizations permeate into their culture what is risk management.
Joshua Corman: I think that we’ll know that the PCI initiative has been successful
when we see that it’s viewed as a way to enable their risk programs as opposed to
being seen as the number one threat.
Robert Westervelt: Well, Josh Corman of the 451 Group, and Mike Dahn of Verizon,
thanks very much gentlemen for joining us.
Mike Dahn: Thank you.
Joshua Corman: Thank You.
Robert Westervelt: And thank you for joining us. For more information on the
payment card industry security standards, and on other security issues, you can go
to SearchSecurity.com. Thanks again.