The Truth Behind Three PCI 'Myths'

Posted originally on Wired, InnovationInsights blog

In Part I of this series of posts, I examined how retailers face immense challenges with respect to their cybersecurity posture but don’t often focus on the important elements. For starters, they will spend an inordinate amount of time struggling to "reduce the scope" of their enterprise that needs to comply with the Payment Card Industry (PCI) Data Security Standard. Then, when they are found to be compliant, they too often discover (the hard way) that their bare minimum approach to PCI compliance has left them still vulnerable to exploits and attacks — but even worse, they are not equipped to detect or respond to the attacks. In short, a bare minimum approach to PCI DSS compliance is not what is ideal for optimal protection.

Given the concerns, allow me to weigh in on the following myths and misconceptions which are creating further complexities:

Hard-to-detect, customized malware targeting specific retailer point of sale (POS) systems became much more prevalent in 2013 and 2014.

That’s true. But what’s missing is considering the vulnerabilities commonly being exploited by the malware. They are predominantly OLD vulnerabilities or variants which should have been re-configured or mitigated or patched out of the systems years ago. Retailers are justifiably concerned about the security of their POS systems because they often are built by a third party with embedded operating systems and distributed by the thousands throughout large geographic regions. This makes it hard to patch them, apply anti-virus/anti-malware solutions (while making sure they are updated automatically and scan periodically), install file integrity monitoring solutions, enable logging, copy the logs to centralized logging servers, etc. – all of which are activities required by the PCI DSS.

The upshot: Malware won’t work if systems are secured to meet PCI standards.

Despite spending considerable resources on PCI compliance, criminals are still successfully targeting retailers.

PCI compliance does not equate to security.

PCI compliance COULD equate to security if the standards were actually applied and followed across the enterprise, and not limited to the segmented "cardholder data environment." Which is not to say breaches wouldn’t occur. It’s just that merchants would successfully detect and thwart more attempted attacks. Even when they don’t prevent them, they’d still quickly halt the intrusions with minimal damage. The problem is that too much time and money is spent on technology solutions which purport to do the “boring” heavy lifting and to limit the scope of what needs to be secured. But the true "blocking and tackling" basics of good security requires dedicated individuals to apply paranoid due diligence above and beyond the call of duty.

There are many moving parts and pieces of a retailer store network and many types of users accessing them; making it more difficult to segment the cardholder data environment from the rest of the network.

Two problems here: First, PCI DSS does not require segmentation, particularly as a security best practice (defense in depth) beyond the implied three-level architecture common to e-commerce implementations. Second, segmentation when applied is done for the express purpose of "reducing the scope of the assessment." It often is paired with the implication (or outright overt statement) that "we don’t need to secure the systems that isn’t subject to review." This attitude even extends beyond any perceived Cardholder Data Environment to the systems which a Qualified Security Assessor (QSA) samples versus the entire set of in-scope systems. I’m sure I’m not the only QSA who discovered the customer didn’t apply a mitigation to a problem discovered during sampling beyond the original systems reviewed and the "new" systems reviewed, if just to prove the point. Segment your network to create security-in-depth not to limit scope; and apply the basic PCI DSS controls across the entire network.

Once we clear up the confusion behind these and other myths/misconceptions, it’s easier to obtain both PCI compliance and a fully protected cyber presence. In my next blog, I’ll shed light on five "rules" of PCI to help you move forward.