The time for nervous anticipation for PCI breach response is over …. VISA has issued dramatic PCI Data Security Standard Compliance enforcement guidance for Level 1 and 2 merchants and all Service Providers. Effective January 1st, 2015, noncompliance costs will be applied sooner and will escalate quicker. For many merchants and service providers looking for a reason to improve compliance just got one. The cost for noncompliance will easily hit $250,000 for many small and mid-sized merchants and service providers.
Much of the early speculation has been focused on industry adoption of new technologies that will, in the long term, dramatically reduce the inherent risk to cardholder data. There has been an increase in the education for emerging threats to cardholder data in both the public as well as in the board room. The increased use of end-to-end encryption technologies and tokenization is the path forward and even a migration to EMV will add a nominal amount of enhanced security. However, the elephant in the room is, “What can we do right now?”
Correcting a Myth about EMV
CEO’s (many ex-CEO’s) have quickly highlighted investment in new Point of Sale systems that accept “chip based” credit cards. The term EMV has unfortunately been associated with more secure transactions. Many retailers have falsely interpreted this migration to negate the need to remain compliant with the PCI Data Security standard. The time to accept reality is upon us. Merchants and service providers must remain compliant with the PCI Data Security Standards now and well into the future. EMV does little to protect cardholder data … especially since VISA does not require chip and PIN based authentication that would also reduce card fraud.
The Facts … PCI Data Security Standard (PCI DSS) Compliance is Rare
Every post breach situation Coalfire has been hired to support has had a similar theme – the security controls, as implemented, were simply not adequate or poorly maintained. Even though security operations teams and some QSA organizations were aware of problems, the industry had neither the courage nor the willingness to prioritize remediation until there was large scale damage to justify changes. The damage is now done. VISA has reacted with a backlash of increased PCI DSS compliance enforcement. The only remaining question is, “Will the industry respond accordingly before unprecedented penalties are issued?”
Moving from Compliance to Cyber Risk Management
Outsiders often ask me why these breaches occur. Do we have to make substantive changes to the PCI Data Security Standard? While there is certainly room for improvement to the current PCI Data Security Standard, the current standard is still the high bar for security standards in any industry. The problem is, it’s up to the industry participants to ensure it is really being followed. Based on what we’ve been hearing at the recent PCI Community Meetings, the Security Standards Council is already moving towards bringing cardholder compliance issues into the board room. PCI DSS compliance is no longer being treated as a “check in the box” process; controls implemented will no longer be disconnected from the risks mitigated for compliance. The solution to all these recent data breaches can be relatively simple: we simply have to get better at securing cardholder data and complying with the standards already published by the PCI Council and card brands.
Two persistent problems will also have to be addressed.
Conflict of interest has to be removed; and
Annual testing is no longer adequate.
The industry must move away from inherent conflict of interest created when QSA’s also manage firewalls, log monitoring or provide access controls. When these organizations complete an audit of the services that they are providing, will you get a truly accurate assessment as to their effectiveness or compliance?
An annual compliance review is no longer good enough, daily, weekly, monthly and quarterly testing at some level should be required going forward. Risks change during the year and controls must be adjusted to counter those emerging risks.
Qualified Security Assessors (QSA) Companies are Being Driven to More Strict Enforcement
The PCI Security Standards Council is already taking action to improve enforcement of Compliance Reporting Quality Standards. Coalfire, along with many of our competitors, have completed intensive reviews of our own assessment programs. You have already seen many in the QSA and ASV community “red listed” for their breakdown in complying with testing and reporting requirements. Look for additional QSA, ASV and PA-QSA organizations being red-listed if the PCI Council continues on its current path. The message is clear. Each QSA must strictly enforce the PCI DSS or risk being removed from the program.
The Result – PCI DSS Compliance will Improve
Both the acquirer and QSA communities will increase their enforcement of PCI DSS compliance testing and reporting in the short term. This is not the time to take the compliance process lightly. The cost for noncompliance is more certain and is significant. VISA has responded to demand and will strictly enforce its PCI compliance programs or risk federal regulatory intervention.