The title of this post is from a quote from a research paper published by Forrester titled ‘PCI Unleashed’. Some of the thoughts discussed by Forrester are so true; I thought I would share a few of them. If you have an opportunity, this is a paper well worth its cost.
One of the key points of the Forrester paper is that PCI was the result of a failure in corporate governance. Forrester correctly points out that had organizations focused on keeping cardholder data properly secured in the first place, the PCI DSS probably never would have existed.
I can confirm that corporate governance is a root cause from my own experiences. We talk a lot to organizations that think PCI is someone else’s problem and that their organization is being singled out. In a lot of these organizations, security has been given the short shrift and has been perpetually on the back burner. In these organizations, senior management sees security, and IT as a whole, as a money pit that does nothing for the organization. This is because senior management is ignorant to what IT and security brings to the table because they have hired security and IT leaders that are mice that are occasionally seen, but certainly never heard.
The card brands have never been shy about why they generated the PCI standards; it was to protect their brands. After all, when a breach occurs, it is almost always reported by the media as, “X number of Visa/MasterCard/American Express/Discover credit cards were disclosed by ABC Company.” The card brands are always called out first, followed by the company and, if the company is a franchise operation, sometimes the franchisee is named. The problem is that the general public typically only remembers the card brand names, sometimes the company name, and usually never remembers the name of the franchisee. Want proof of this, just look at how badly TJ Maxx, HomeGoods, Marshalls and the like suffered after their parent, TJX Companies, incurred one of the largest breaches in history two years ago – NOT! In a public relations coup, TJX Companies got the media to use TJX as the name of the breached organization which protected the brand names of their actual retail outlets. As a result, sales at their retail outlets were only slightly affected by the breach news.
Another point that Forrester brings up is that naysayers point to the fact that PCI compliant companies have been hacked, therefore the PCI standard must not be effective. As I have argued time and again, PCI compliance is not a one time, annual thing. Compliance requires consistent execution of all of the PCI DSS requirements in order to remain compliant. Consistent execution is a struggle for even the most diligent organizations. It requires constant commitment by employees and management to the importance of doing security right all of the time. The problem is that we are all human and humans are fallible. So lapses will occur in any organization. This is why all security frameworks are built on the concept of overlapping controls so that should a control go out of compliance, the whole house of cards does not come down. What differentiates a good organization from a bad organization is that a good organization does not have so many lapses at once that entire control structures fail. If you read the reports from TrustWave and Verizon Business Services on breaches they have investigated, a significant portion of those breaches were the result of systemic failures of the control environment.
Related to the previous point is another good point made by Forrester that the PCI standards are just a baseline and that organizations must go beyond the PCI standards to be as secure as they can be. The PCI DSS is just the ante to be in the game. If you want to be certain, you need to go beyond what the PCI DSS requires. Why? Because new flaws are discovered in software or new techniques are developed that make prior security methods obsolete or no longer as effective. As a result, your security systems must adapt or new security methods need to be developed to detect and circumvent these new threats. The PCI standards may address these new threats in a future version, but it is your organization’s responsibility to deal with them first. This is also why most security experts say that security is a journey, not a destination.
One point of contention I have with this report is that they state, “Companies that already have robust security policies, processes, and technology do not have difficulty with PCI.” Having worked with a number of organizations that meet these criteria, I can attest that this is not necessarily the case. A lot of them have very robust security policies, processes and technologies; however, the day-to-day consistent execution was haphazard at best. Management believed that they were in pretty good shape for meeting the PCI standards. As we pealed the onion on their security environment, it became obvious that all management was seeing was a facade of security. Security people said all of the right things and their policies and procedures said all of the right things, but the actual execution was not even close to consistent. As they like to say, “They talk the talk, but they do not walk the walk.” As a result, these organizations have struggled to change ingrained cultural issues and “bad habits” that can be much tougher to deal with than implementing new policies or technologies.
Finally, the next time you hear someone say that they feel PCI standards are not fair or they are impossible to comply with, ask them if they think they can afford a breach? The best tidbit offered by this Forrester report is their estimated cost per account of a breach. Forrester estimates that a breach costs between $90 and $300 per account breached, excluding lawsuits and any remediation efforts. A modest breach of say 100 accounts carries an estimated cost of $9,000 to $30,000, excluding:
- Legal representation – you know that your organization will be sued or threatened to be sued over a breach and that will require your lawyers to go into action. If you think lawyers are cheap, thing again, particularly when they are fighting a lot of battles;
- Public relations – just as in politics, your organization will have to put the best face on such an incident. If your organization does not, the media will provide that “face” without you and it likely will not be a “good face”;
- Investigation – the card brands will require a forensic examination to be performed. If you think lawyers are expensive, the costs related to a forensic examination will make you believe your lawyers are cheap;
- Remediation – there will be changes required to better ensure security and some of those changes will likely have a cost associated with them. Only the lucky get away with policy or procedural changes with a minimal cost; and
- Loss of sales – your organization will lose customers over this lost of trust and future sales may also be affected if you did not adequately address the public relations aspect.
There are likely other events that will result from such an incident that will also cost your organization time and money. The bottom line is that this is something your organization should avoid at all costs because, in my experience, most organizations do not survive such an incident.