For those of you that have been reading this since it was part of the VeriSign blogging program, you know that my posts tend to follow what is most important in my daily life. Or, if not most important, the loudest thing in my daily life that really needs a comment or two. After joining RSA, I spent quite a bit of time talking about advanced threats, especially after the breach. I also sat on the PCI Board of Advisors during that time, but the reality is that my daily work around information security and what the Board was tackling were very far apart. Given the release of 3.0 and the commentary from that to date, I would still agree that the two topics are pretty far apart.
Some of my most exciting work was done right before leaving RSA. We were starting to investigate applications of game theory to information security—something that we should consider here with cardholder data.
Let’s face it. As I said at the Merchant Acquirers’ Committee last week, PCI DSS has done some good for the Retail industry. Overall, those that have been in the business long enough know that the information security posture of retailers prior to PCI DSS was not really going to stop too many attacks. Retailers focused on shrinkage (not the kind that George Costanza experienced) as for them, the primary way to negatively impact the company was to convert assets like cash and inventory into expenses like “Losses Due to Theft.” Therefore, that’s what they focused on. PCI DSS helped them improve electronic security measures, but now it’s falling short.
We’re right in the middle of the 4th Edition of PCI Compliance, and it occurs to me that our advice needs to be stated more clearly up front—most companies have no business running a payment processing engine. Does it cost more to outsource? Yep. But it is probably worth it.
That said, I do believe that companies who still rely on payment card data and must comply with PCI DSS need to change the emphasis from passing an assessment to defending your infrastructure. Much of what we learned in dealing with advanced threats (which, let’s be honest, are only advanced because of the publicity, not because they are using quantum computing or anything) should be applied to defending the retail environment. Either that, or companies should make themselves less of a target by outsourcing processing to experts who can handle advanced threats.
If you are subject to PCI DSS, you should applaud your efforts to comply with the standard. But you should also take the advice of the framers and move beyond PCI DSS to secure your systems. There are a number of reasons why PCI DSS is woefully inadequate to fend of the types of attacks we see today, but you can’t blame PCI DSS for those issues. Malware detection on POS devices, network inspection to watch for heartbeats, and paying attention to all the alerts that your systems generate will do more to keep your card data safe versus focusing on your PCI DSS assessment (two of the three above are part of PCI DSS). Early warning is the most critical piece. As we used to say at RSA, stop spending the lion-share of your budget on prevention. Focus on equal parts prevention, detection, and recovery. Assume the bad guys will get it, and focus on finding them, containing them, and recovering.