Imagine for a moment that you own a health care center that treats minor illnesses. The doctors that you hire explain that they will show you how to make money from your sick patients by prescribing morphine for every cough, regardless of the actual health of the patient. As a narcotic, morphine will suppress a cough but will not cure the underlying ailment. The doctors then inform you that occasionally you may even be able to sell the sick patients additional medicine. You struggle with this situation because, although you are not a doctor, you know that these patients do not merely need morphine and there is a way to make them much better, if not heal them altogether, without the use of a powerful narcotic. The challenge is that once hooked, the patients feel better and will pay you month after month, for their morphine. Occasionally a patient or two dies, but that is OK because in this fantasy world, the doctor simply says (with even greater emphasis) "prescribe more morphine!"
The situation described above is extreme, yet an analogous situation does exist today. This situation exists in the Payment Card Industry. I have been a victim, as have a number of others of such a situation. The situation to which I am referring is the selling of "compliance" solutions to level 4 merchants to make money for their ISO or acquirer without attempting to cure the underlying disease (poor data security). Every day merchants experience data compromises. The answer, we are told by some, is to ensure all merchants "conduct a self-assessment questionnaire and have a vulnerability scan." While attending a trade show this past April, a scanning vendor was seen to be selling: "PCI for Profit." There was no mention of securing data or preventing data theft or reducing risk. The message was simple. An ISO or acquirer can "encourage" their level 4 merchants to have a quarterly network scans by third parties and in turn can generate revenue. The merchants are being told that the scans are the cure to their risk of data compromise.
As disturbing as this sounds to security professionals, it is prevalent in our industry. My own company is classified as a level 4 merchant. We were recently informed by our ISO that we "had been identified as a level 4 merchant and as such had to have a scan performed for $20 per month by a XYZ Scanning vendor." In the same letter our ISO informed us that XYZ company "...was an Approved Scanning Vendor." Upon investigation I found that not only was the company not a PCI SSC Approved Scanning Vendor but that they were in fact a subsidiary of a large processor who was attempting to force merchants into paying for a scanning solution through an "opt out" program.
More recently I was perusing an industry association website and again came across the same language. To paraphrase "learn how to make money off of your level 4 merchants." I was dumbfounded. When did the focus change from securing and protecting cardholder data to exploiting a legitimate compliance program of which the objective is to protect data in order to profit from the level 4 merchants?
Let me be clear. There is nothing wrong with offsetting costs associated with managing a compliance program. It is expensive and resource intensive to manage the security of a large number of merchants. The challenge is that some organizations have crossed the line by pursuing profits from a
program while not providing an appreciable reduction in risk.
There is an asymmetry of information within the industry today. The QSAs and ASVs are intimately familiar with the card brand rules and compliance issues. They are, in effect, the doctors. While the majority of QSAs and ASVs operating in the payment card industry are professional and very capable, some unfortunately are prescribing "scanning" as the cure for every ailment in much the same way that morphine may be prescribed for the cough. Unfortunately the patients are level 4 merchants that do not have access to the same information as the QSAs/ASVs (doctors). They are simply told to take their morphine every month (have their scan) and all will be well.
The merchants (and often their acquirers) believe that by having this scan every month, their data is protected and subsequently, that they are protected from the fallout should a data compromise occur. Unfortunately many of these merchants and their acquirers find out too late that the scans do not protect against most of the attacks against their data in the same way that many addicts find out that morphine does not actually cure the underlying cause of the cough, and in fact has serious side-effects.
Let me be clear. Both morphine and network vulnerability scans are valuable and important. They both also have their uses and their limitations. They are NOT the answer to every ailment nor are they a cure-all. Additionally, the challenge is not that ISOs and acquirers are malicious. Oftentimes they are suffering from the same lack of information as the merchants. If there is blame to be assigned it is to the few companies that promote scanning as the solution to security woes.
Recently the discussion around the term compliance has reached a fevered pitch. Companies are being directed to "comply" while security companies and vendors are offering methods to achieve compliance with the PCI DSS. What is disturbing is that security and the protection of data appears to have taken a back seat to the pursuit of compliance.
It must be understood that compliance with any standard does not guarantee security. The theory behind the PCI DSS is simple. As the card brands understand how data is compromised, they can
create requirements for controls that should address the compromise trends. Consider PCI DSS Requirement 6.6 as an example. This was written specifically to address the increasing application
layer attacks that were resulting in compromises of cardholder data. For those astute readers, you likely identified a major issue with this approach. The approach is "reactionary". A vulnerability is identified and a control is required to address the vulnerability after the fact. This results in a relatively static standard that hackers can exploit. Additionally, the standard only changes when sufficient evidence of new attack patterns necessitates a change. Consider your house for a moment. If you knew there was a cat burglar in the neighborhood would you list your homeÕs security defenses
for review?
It is an unfortunate fact that aggressive marketing and the pursuit of compliance have led many organizations to equate compliance with the PCI DSS with security of cardholder data. Can it be argued that companies that are compliant have achieved some level of security? Certainly. That being said, passing a network vulnerability scan from an ASV is a component of compliance validation and is a valuable component of data security but does not assure security of data.
From an information security perspective it is important to undergo vulnerability scans for a number of reasons. First, requirement 11.2 of the PCI DSS requires companies to undergo such scans on a quarterly basis and whenever they have made significant changes to their infrastructure. Compliance with the standard does necessitate vulnerability scanning. Secondly, scanning reports are required for validation of compliance, as well. The scanning requirement is one of over 220 sub-requirements
contained in the PCI DSS. Simply put, a clean scan provides a company with one of two validation components of a very detailed standard.
Unfortunately, the focus on scanning as compliance has overshadowed the objective of the standard - the protection of cardholder data. This errant focus has led many to equate simple scanning with reducing the compromise risk in a given merchant portfolio.
The current environment is such that many acquirers and ISOs are looking for organizations to help them manage the risk of their merchants. Many of these companies are drawn toward solutions that can help them offset the costs associated with managing a compliance program.
The present payment card industry environment has positioned the QSAs and ASVs as the arbiters of information within the payment card industry. This has resulted in an assymetry of information within the industry leaving many companies feeling that they are at the mercy of those few organizations that understand the rules and regulations. With the formation of the Society of Payment Security Professionals, the assymetry of information is changing. For the first time, the same information that has been available to the QSA/ASV community is now available to every merchant, service provider, bank and individual. This is what Thomas Friedman would call the Democratization of Information. This trend, the diffusion of information throughout the industry, can only serve to help increase the overall level of data security in the industry. 
|
