PCI Compliance: 'Scary how much people don't understand'Interview with PCI Expert Diana Kelley on Challenges of Meeting New Security Standard
Kelley, a former information security analyst at Burton Group, was previously an information security advisor at top companies including CA, IBM, KPMG, Entrust, among many others. She is frequent conference speaker and has authored numerous white papers, research documents, articles and book chapters on the subject of information security.
Q: The not-so-simple art of PCI compliance - where are we in terms of maturity?
Kelley: Retailers are taking it very, very seriously. The only brand that is putting out numbers on compliance is VISA, which I find very frustrating. Their numbers are low, but absolutely looking better and better, especially in Level One merchants. I hear a lot of concern from Level Two and Level Three and Level Four merchants. Here in the US they're taking it seriously, in the Nordic countries and the UK they are taking it seriously, hopefully we'll see it spreading throughout Europe. There's been that mindset of "We're chip and PIN, and you people are idiots because you're still mag stripe over in the US" over in Europe, and they act as if the chip and PIN solution is invincible. They are not. It only changes the threat model, but it doesn't change the PCI requirement. Once the merchant has that PAN (Primary Account Number), as a merchant it doesn't matter whether they got that off of a card with a chip or off a magnetic strip card or it was handed to them written down on a piece of paper. The thing that matters is they have it now, and that is where PCI picks up, when a merchant possesses that PAN. Then they have to authorize it and store it.
With the Nordic countries and the UK taking PCI seriously, I hope it continues and spreads throughout Europe.
What I've heard from Bob Russo, general manager of the PCI Security Standards Council, is that over in Asia, because many companies located there have embraced adoption of ITIL and ISO 27002 standards, they're not as resistant to adoption of PCI as other areas of the world. What they're resistant to is spending more money because they've spent so much money on these very large compliance projects to become ITIL or ISO compliant. They're asking the council to look at what they've done and do some mapping to it, rather than going through this whole other fire drill of compliance work with PCI.
In the US, the problem I see when I speak to customers is that they don't get it. It is really scary how much people don't understand PCI. I talk very often about zoning or segmenting networks and people hear that and think "well, I have a switch in place" or "I have a firewall on my perimeter" and think they're done. Then when I explain what the term segmenting really means to their company, and give specific examples, such as segmenting the wireless ports or guest access to the network, then those same people reply "Oh, we didn't know that was what you meant." Then their faces turn white when they realize that their network was open to guest users.
Another conversation I had with a major retailer went along something like this, "Well we only have one data base administrator at our corporate headquarters and he has a lot of controls set when he goes to the database." I replied, "So at your retail stores how are you protecting the collection at the point of sale and transmission?" To which the retailer said, "Oh, that's included?" Again, the turning white when they realized that they did have a problem.
Q: What is your opinion of what happened at Hannaford?
Kelley: Card Systems was hacked when they were compliant with the predecessor to PCI, the VISA card security standard. Being compliant is no guarantee that the card information won't be stolen. It's no guarantee that there's no liability on the company that suffered the attack, and the second that the assessor leaves and anything is changed in the network environment, say a control is turned off, that could potentially bounce them back out of compliance.
With Hannaford we've still got pieces emerging from the case. What jumped out at me was that the data was taken during the authorization phase. A lot of companies that don't hold the PAN after authorization are in a little bit of a fantasy land if they think they can't be hacked because they don't hold the PAN or store it. It doesn't matter whether it was a 12-hour holding period or a 12-second holding period; the hacker only needs to see it go by in order to capture the number. Companies have to be very cautious about any time that a PAN is on their network. They only need a second to grab that number.
Q: Do you see a sense of urgency among retailers after the Hannaford breach, and are there other retailers out there waiting to be the next Hannaford?
Kelley: There may be more Hannafords out there. I don't doubt it. Unfortunately we're in what others in the industry describe as an arms race against these cyber criminals. We're building networks with layers and walls, and all that the hackers are looking to find is that one chink in the armor so they can push their chipmunk of malware through it. The attacker has a lot of time to poke and poke at these different holes. In the security arena we have to be right all the time; the hacker has to only be right once. The problem is making things secure and keeping a business running smoothly often runs at loggerheads.
Some companies don't care about security. Hannaford did take it seriously and complied with PCI requirements. They proudly put it up on their site that they were PCI compliant. Even taking it seriously and becoming compliant doesn't mean you're going to keep your name out of the newspapers. It's been surprising to me, because Hannaford is in the Northeast, and they are the big chain where I live. It shocked me that I was getting calls from people in California. Here's a company that did everything right, and went through the compliance assessments, but still are smeared in headlines across the country because of a breach.
Citizens Bank located here in the Northeast, took the immediate step after the breach to announce it was reissuing all credit cards of customers that had shopped at Hannaford, regardless whether they might have been involved in the breach. So I had friends I met shopping tell me "I just got a new credit card from Citizens because of the Hannaford breach." Their perception was Hannaford was evil, and Citizens was great. So the bank with reissuing those cards instantly raised awareness among its customers about the breach even if it didn't affect them directly.
Q: What do consumers think about when they hear the word security and PCI, and are they interested in security or convenience?
Kelley: We as consumers have to ask 'Who are these retailers protecting ultimately when they ask for drivers licenses and home addresses and phone numbers when an item is returned?' TJX was storing driver's licenses and home addresses on returns. Years ago driver's license number was the holder's social security number; it's not as common now. Your credit card number is not identity theft, it's just fraud. If my card continues to be stolen, I may have trouble getting credit, but as we know, credit is offered to anyone with a pulse.