Credit card security standards are inadequate.
The security standard used to protect credit cards isn't up to the task and upgrades that are planned for this fall do virtually nothing to improve it, a security expert told Interop attendees this week. Not only that, the so called payment card industry data security standard (PCI DSS) is driving what businesses spend their security money on, which is not necessarily the same set of things they would do to best protect their assets, said Josh Corman, research director in the enterprise security practice of The 451 Group.
One of the glaring shortcomings of PCI DSS is that it doesn't address cloud computing at all, leaving businesses interested in the cost savings promised by the cloud unable to use it in a way that complies. And the draft of the changes that go into effect this fall that Corman has seen don't address cloud, either, he said.
The problem is that with pinched budgets, CIOs and CISOs are forced to limit their security budgets. Since PCI DSS is mandatory for anyone handling credit card data, its requirements are being met, often at the expense of other measures, Corman said.
"PCI has created budgets where there were none," Corman said. A common belief is that IT security is recession proof, but PCI compliance has forced much of the spending that might have been cut otherwise. "It's probably more accurate to say compliance made [security] recession proof," he said.
PCI DSS may or may not do a good job of protecting credit card data, but it definitely doesn't do the best job of protecting all corporate assets based on their value to the corporation, Corman said. "PCI is not meant to protect [your business], it's meant to protect the data you have become responsible for," he said. "The [qualified security assessor] isn't protecting the herbs and spices for the colonel; he protects the credit cards."
The impression within the industry, though, is that PCI DSS is a standard that if applied to any business network will adequately secure it. And since PCI DSS is mandated for many businesses, it sets the bar – perhaps not a very high one – for adequate security, Corman said. Many security executives he talks to say much of their spending is driven by making sure the business can pass a PCI DSS security audit, not that the riskiest assets are protected. "We now fear the auditor more than the attacker. Is that a good thing?" Corman said.
The nature of threats is changing all the time with adversaries persisting and constantly trying new means of attack. Meanwhile, PCI DSS is updated just every two years, which leaves it behind in fighting the latest innovations from attackers, Corman said.
He said some of the principles that buttress the standards don't stand up to analysis. For example, regular, prompt patching of operating systems and applications is touted as a key to data protection. But of 90 breaches that warranted incident responses in 2009, just six could have been prevented by more timely patching, according to a Verizon Business data breach report, he said.
Similarly, the common thinking is that most breaches are caused by insiders, but only 20% of those incidents reported by Verizon were linked to insiders. Of those, half were due to user error, not malicious intent by an insider. "That's an urban legend. We have really bad data," he said.
Antivirus, mandated by PCI, demands the largest chunk of security spending, but 85% of breaches were the result of custom malware that virus software can’t catch, Corman said.
The PCI Council's position is that no data breach was ever successful against a network that was fully compliant with PCI, and that had victims paid better attention to their log data, they would have detected the breaches. "It implies the infallibility of their compliance," Corman said.
But he said a third of the logs in breach cases held no evidence of breaches, according to the Verizon report. PCI gets those who were doing nothing to protect the cards to do something – meet a minimum standard, Corman said.
The bottom line is that there isn't enough data to know whether PCI works or not and whether security controls businesses would have put in place in the absence of PCI might have worked better. "There's too many moving pieces," he said.
To compound the problem, the PCI Council is considering making its review cycle three years rather than two, dropping the standard even farther behind attacker innovation, Corman said.