PCI DSS Compliance: Debating the benefits, unintended consequences Part 2

Can critics of PCI DSS can get along with proponents of the standard? Gene Kim of Tripwire Inc. and Martin McKeay of Verizon, explain what can be learned by studying the effects of PCI DSS compliance to gather data and apply improvements to the standard where they are needed.

Part 1 of PCI DSS Compliance: Debating the benefits, unintended consequences

This video is part of SearchSecurity.com's new "Eye on" series that brings together various perspectives on security topics throughout the year from SearchSecurity's sister sites, including SearchCloudSecurity.com, SearchSecurityChannel.com, SearchSecurity.co.UK and SearchSecurity.IN. In the month of March the series examines PCI DSS.

Read the full transcript from this video below:

PCI DSS Compliance: Debating the benefits, unintended consequences Part 2

Rob Westervelt: Hi, I'm Rob Westervelt, the news director of www.searchsecurity.com.
Thanks very much for watching this video. Today we are going to be talking
about the payment card industry data security standards with a group of
experts that have been debating the issue over the last year. Up first is
Gene Kim. Gene is founder of Tripwire and he is author of an IT security
book that is due out later this year and Martin McKeay. Martin is a
Senior Security Analyst at Verizon. Gentlemen, thanks very much for
joining us.

Martin McKeay: Thank you, Rob.

Gene Kim: Thank you very much.

Rob Westervelt: Martin, I know that you’re a QSA. You've kind of put together this
whole discussion over the last year, along with Gene on this debate over
whether the payment card industry data security standards are actually
improving security.

Martin McKeay: Obviously, I'm a blogger; I'm a podcaster, as well as being a QSA
for a living. So I get involved in a lot of conversations that have to do
with PCI and its effectiveness and last year at Mucon, there was a panel
that featured Josh Corman and Mike Donn and who both are friends of mine
but at the end of it there was some misunderstandings and some hard
feelings. This went on for awhile because both of our people who have a
very strong commitment to making security better, and they really did not
understand where the other was coming from about security and about how PCI
was effective. It was creating a lot of tension and some bad blood. Gene
and the folks at Tripwire came to me and said, "You know all of the actors,
you deal with them on a regular basis. We know that really want the same
thing in the end. Can we get them together to talk it out, to discuss it,
to understand where they differ and where they agree?" and how we can use
that tension to move forward the state of security and, specifically, PCI
because even someone like me who's a staunch supporter of PCI, admits freely that
it has a lot of room for improvement.

Gene Kim: That is interesting. I think it really started when I was giving a
presentation at the B-Sides in Las Vegas where I was relating my
experiences helping creating scoping guidance for SOS 44 and what we can
learn from that in terms of properly scoping the PCI environment. One of
the things that we portrayed was is it possible. I think the representation
can be made that we are sort of doing it wrong. Regardless of PCI says as a
community, we may be doing it wrong, but it's hard to define what right
looks like and ifwe could define what right looked like and if we could it even be
possible, the challenges made by someone. Could even Mike Donn and Josh
Corman hug it out? Then we reached out to Martin and was like, "Who could
help us or engineer this type of discussion?" It was just a very fun
project to critically analyze the problem and then interview them
separately and then interview them together. I do believe there is some
footage of them hugging it out, yes?

Martin McKeay: Somewhere. I think a lot of what was happening is, that there is
a, quite frankly, every human being has a different way of communicating
and whereas they were both saying a lot of the same things in reality. The
method of saying things was coming across differently, so they weren't
realizing they were both asking for the same thing which is improving the
security of PCI and lot of that has to do with finding out whether or not
it is effective. Do we have data saying that PCI works? Do we have data
saying it's not? All we have really, in a lot of cases, is people saying,
"I'm a CTO, this is what I think of PCI." That's kind of hard to have a
real discussion on, but when we sat down and just started talking about it
all, we realized that both actors, both Josh and Mike, understand that the
end goal is this improvement. Now we are trying to figure out how we do
that. We know a lot of things need to be improved. How can we improve it
from the ground up since we don't control the PCI counsel? They take
advice from the public, but not that much.

Rob Westervelt: Martin, I know that you are a QSA. I'm wondering when you walk into
businesses as a QSA, is there some animosity there? What is it like
walking into these businesses before you're going to be performing an

Martin McKeay: I would say that initially, almost every QSA does encounter a
little animosity walking in. We are an authoritarian figure coming into
assess whether or not you are doing your job right. It's a tense
situation. But, anybody who's a good QSA, learns to disarm some of that
tension and make people understand. Yes, my job is to evaluate your
security, evaluate your programs. But I'm also here as an adviser to tell
you, this is what's not working or this is not what's in compliance.
Here's how we can make you compliant with a minimum amount of effort and
make you secure, which is more important than being compliant.

Gene Kim: What's interesting to me, what I left and what became sort of the
bubbled up through the discussion was that, it was acknowledgment that the
state of the practice is poor. That spans the QSA community, it spans the
compliance and security community and one thing that was very evident was
that the rules of the game aren't necessarily well known. When the rules
of the game aren't known, it's difficult for either side to do the right
thing. I think the sincerity of both Josh and Mike did not only recognize
it, but actively do something to help clarify the rules of the game and
share techniques of how does one achieve the spirit and intent of PCI
,without sucking all the air out of the room doing PCI. I think those
things are what I'm looking forward to, to be generated from a continuing

Rob Westervelt: Martin, some of the earlier complaints that we got about QSA's and
some certain organizations are pushing technology products to help these
organizations achieve PCI compliance. Have we gotten away from that now?
Has that really been addressed by the PCI counsel?

Martin McKeay: I don't think so. I know a large part of the QSA's in the world
and I think that that still exists. I think that there's a lot of
attention to that potential conflict of interest and I think most QSA's do
a good job of that balancing act but there's always going to be somebody
out there who's pushing the line and going over it. I think the vast
majority of QSA's really are cognizant of their responsibility in the
assessment and cognizant that I can't sell something to somebody if it's
not actually going to be effective. I'm one of them and I know that
there's a lot of QSA's who don't want to do the sales job as a QSA because
it does sort of bring up some bad feeling in a lot of us.

Gene Kim: Martin, are you referring to the phenomena where the QSA comes into a
merchant and basically opens up the pocket and inserts the vacuum cleaner? Is that
the perception that you are referring to?

Martin McKeay: Well, sort of. There are a number of QSA companies that, as much
as being a QSA company, they are also a service provider. And they want you
to take it from being just an assessment to all of the services, so you can
be compliant. Again, a lot of QSA's don't like having that role of being a
salesman as well as being the auditor or assessor.

Rob Westervelt: Gene, you came from a company that really focuses on compliance
issues. And I'm wondering how PCI has had an effect on the security vendor
community. Are more research dollars going towards solutions that are just
aimed at compliance? Are we seeing less innovation when it comes to

Gene Kim: I think that the position has been stated that compliance is sucking
up all the R&D dollars in the universe and from innovative security. I'm
not so much bothered by that because whether we like it or not, we live in
an era of compliance du jour. I mean, there are more regulatory, big brother's
here and they've knocked down the door and said, "We're here to help."
Essentially, that is in reaction to the industries inability to secure
data, whether it's cardholder data, medical records and so forth. It's a
problem that needs to be solved and I do believe in the platitude that
when you are secure, compliance is free but if the industry can't solve the
burning compliance problem, they'll never have a swing at bat to solve the
security problem. I think it's appropriate that R&D dollars are spent to
help practitioners solve the compliance problem. It's up to them to make
sure they are also doing it by being secure.

Rob Westervelt: Are more research and development dollars going towards compliance
solutions, rather than innovative security technologies?

Martin McKeay: As a QSA, one of the things I see a lot, is people who have
problems implementing the technologies they have now. So I'm perfectly OK
with dollars being sucked out from R&D because until we can get a handle
on the things we have in our hands now, R&D is useless. I'm sorry. It's
just not going to happen. We have problems even configuring a firewall
right in most enterprises. There were a couple of the talks at B-Sides
that talk about this. If we can't get something like a firewall
configured, why bother with some of the deeper issues, if we can't get the
surface issues fixed?

Gene Kim: I think that is exactly my attitude which is, what we're talking
about is rigor and discipline. These are sort of basic block and tackle
them, and things like the PCI and DSS is requiring us to do. I think that
the challenge is to master at least to tackle things that we should be
doing already and then maybe we will earn the rights to deploy even more
exotic technologies, to mitigate even more exotic risks in the future.

Rob Westervelt: Can the program actually keep up with all of these new innovative

Martin McKeay: Yes and no. We are not going to see PCI adapt to address every
single new technology, every single new change the environment. It still
has the same basic structure it had when it was created. It has the same
basic structure it's had for 1.1, 1.2 and PCI has not changed drastically.
On the other hand, most of what it addresses are the basic, as Gene said,
block and tackle issues and I don't think those are going to go away any time
soon. So I'm not real happy that there weren't big changes from 1.2 to
2.0, but I understand. We have enough merchants out there that scream
because they are trying to get what's in the DSS now, in place. So if they
made major changes, there are actually merchants that would not be still in
business next year because they had to make all of the changes that PCI
required. If they had made major changes to the DSS.

Rob Westervelt: I know Mike Donn has been very much involved in QSA training. You've
undergone some of this training. There's been criticism out there that it's
actually not very difficult to get through some of this training. Talk
about your experience briefly about going through QSA training.

Martin McKeay: Well, since Mike Donn gave me my QSA training, originally, I can't
say anything bad about it. I couldn't say anything bad about it anyways.
Since then, I've gone through online training and, quite frankly, I was
rather impressed with the PCI counsel's online training last year. I
haven't gone through this year's yet. That's one of the places where they,
in my experience, they really are listening to the feedback and have
greatly improved the training, atleast the online training. I haven't
seen the in person training. It's a lot to go over in a few days. A lot
of what you need to see is a QSA who's worked with other QSA's, or worked
as a service provider or as a merchant because it takes that sort of
experience to really understand the nuances of some of the requirements and
how they apply to your business and that's why PCI is not changing much
because it has to have that flexibility to deal with the nuances of
specific environments.

Gene Kim: It's interesting. One of my biggest surprises in helping lead the PCI
scoping stake. This is sort of the corrective mechanism, where the PCI
community sort of mobilizes to help make changes to either the DSS or
future guidance's. The sincerity of the PCI SSC - Security Standards
Counsel, to get clarification and guidance out there. There's an ever
growing body of guidance that is available to both merchants and QSA's,
that answers the tough questions. That was probably one of the biggest
surprises. How big that body of knowledge is.

Rob Westervelt: Well, Gene Kim, Martin McKeay, thanks very much, gentlemen, for
joining us.

Martin McKeay: Thank you, Rob.

Gene Kim: Thank you very much.

Rob: And thank you for watching this video. For more information on this
topic and more, you can go to www.searchsecurity.com. Thank you.

View All Videos

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.