The recent breach of Global Payments, a card processor, got me to thinking about the PCI Data Security Standard once again. Specifically, the execution, implementation, and oversight of the assessment process is what bothers me; I’m okay with the spirit and, in general, the mandates of the PCI DSS. On the other hand, the organizations that are performing the checks of compliance (i.e., QSAs and ASVs) cover the entire spectrum of know-nothings to security visionaries. The Security Standards Council has defined requirements to qualify people and organizations to deliver these services, but the reality is not all assessors are created equal and to be competitive there are a lot of corners being cut. Add to that the lack of budget, personnel, and understanding on the processor/merchant side, and we have a recipe for disaster such as that at Global Payments and the infamous TJX breach in 2007.
So, where does the problem lie? We can’t point the finger at a single group here – there are guilty parties throughout the entire ecosystem -
- from the PCI Security Standards Council who is unable to truly monitor (or dare I say, audit) all of the assessment companies;
- to the assessment companies who are competing for business, putting under-qualified assessors on projects, and want to please their client since they’re paying the bill;
- to processors/merchants who want a checkbox that says they’re compliant;
- and finally, to at least one card brand that is deeply entrenched with an assessment company who manages their paperwork and is recommended as if they are the only option (can you say “conflict of interest?”)
By the way, this problem isn’t isolated to PCI – we could almost directly substitute GLBA, SOX, HIPAA, HITECH, and any other regulatory/standard acronym in here.
Now getting back to the title of this post – here at BTB we hold our value system in high regard and know that it is in everyone’s best interest that we tell our clients what they need to hear, even if it isn’t what they want to hear. The PCI DSS is a decent baseline for information security controls when followed properly and with an open mind – there is certainly more that organizations can and should do as their information security programs mature. Make sure you’re choosing a vendor that understands this and will work in your best interest from a financial and leading practice approach.
Some related reading – enjoy!