The Payment Card Industry world felt some very interesting shockwaves this week as the Federal Trade Commission (FTC) issued a news release announced that they would be issuing orders compelling 9 QSA (PCI Qualified Security Assessor) companies to provide information to the FTC on how they conduct PCI assessments. This order was made as the FTC attempts to gain a better understanding of the state of PCI DSS assessments.
Why is this significant?
A conclusion that one may draw from this announcement is that the FTC is questioning the effectiveness of the PCI standard. There has been a proliferation of breaches of so-called PCI compliant entities. That said, and I stand with the PCI Council and the Card Brands on this one, no breached entity has ever been found to be PCI compliant at the time of the breach. Love it or hate it, the PCI Data Security Standard is a well-defined and prescriptive standard. In fact, I’d say it’s one of the better compliance frameworks out there.
So, why do bad things happen to good companies?
There are a number of inherent weaknesses in the PCI ecosystem that contribute to failures:
- Not all QSAs are created equal – we’ve seen countless instances of corner cutting by QSAs. From overworked QSAs juggling 20+ assessments at a time to shoddily crafted ROCs with mistakes, oversights or just plain wrong information, we’ve seen it all.
Recently, a customer shared with us that their entire assessment was automated and the QSA only showed up for 2 days onsite. In the past, the QSA had been onsite for 3 weeks.
- Inadequate penetration tests – You get what you pay for. Ever wonder why there is such a broad range of costs for penetration testing? That’s because some vendors run a few automated tools and produce a flashy report instead of doing the work it takes to conduct an actual penetration test. The result is you pay a little, check the box, but are left with gaping holes in your security.
True Story: In the course of some pen testing work at a new client where we were replacing an incumbent QSA/pen tester, within the first six hours of a penetration testing engagement of an Internet-facing web application we found three critical findings including the ability to dump the entire database containing credit card transaction history. This web application had received yearly penetration testing, but the previous vendor of penetration testing services did nothing but run Nessus and some OSINT tools to produce a flashy report with no real substance.
- Accountability issues - Organizations still believe that if the CDE sits with a cloud provider that they are off the hook.
- Practicality – many businesses think it’s too difficult or too expensive to bring their entire organization up to PCI DSS requirements.
What does this mean?
Achieving and maintaining PCI compliance is a slog and it takes hard work by both the assessed entity and by the QSA. PCI assessments are not for the faint of heart. It takes a ton of work to maintain compliance and to ensure that the >400 individual elements are in place with a tangible audit trails to demonstrate to the QSA that PCI compliance is baked into your business as usual (BAU) processes.
It takes a ton of work for a PCI QSA to perform a proper PCI assessment (resulting in a 200-400+ page Report on Compliance). This also means that companies who are being assessed should not base their decision solely on pricing – I’ve seen it way too many times – you get what you pay for.
Nobody’s perfect. It is very rare to perform an assessment where the assessed entity is 100% PCI compliant. That is why PCI assessments must be performed on an annual basis. Environments change. People change jobs or roles. Technologies change. Data flows change. Businesses transform. The threat landscape changes.
Who’s to blame?
Is it anyone’s fault in particular? I’d say the ones who deserve the LEAST of the blame is the PCI Council. We are all at fault and here’s why:
The Card Brands are at fault because they fine companies who are not PCI compliant. Technically, they fine the acquiring banks of the non-compliant merchants, who in turn fine the merchants. Therefore, the merchants feel the pressure to ensure that they are “PCI compliant” which means that they may feel inclined to sweep issues under the carpet (rather than tell the QSA) so they don’t risk non-compliance fines.
The merchants are at fault because some (not all!) would rather be PCI compliant than secure. If they have a PCI compliant attestation document / ROC, then they won’t be fined. Sometimes, they accept subpar quality assessments, even downright improper or fraudulent in the name of having those boxes checked. And they don’t report the QSAs who performed improper PCI assessments.
The QSAs are at fault because let’s face it – the customers are paying them to perform a PCI assessment and the customers’ measurement of ‘success’ is to achieve PCI compliance. If the QSA is unable to help get the customer there, then they may be replaced with a different QSA company. At the end of the day, we are all in it both for the love of the game and to make a decent living. At the same time, some QSA companies are scam artists charging bottom dollar and performing check-the-box PCI assessments in the name of making a quick and easy buck.
Almost sounds like the three branches of government. I can’t say how the FTC stepping in to this quagmire will make things better – I venture to guess that it will make it murkier, but time will tell. Stay tuned for a follow up post next week on how what we can do affect some positive change in PCI world.