PCI Feels Like Something Is Being Done To Me

The title of this post is from a quote from a research paper published by Forrester titled ‘PCI Unleashed’.  Some of the thoughts discussed by Forrester are so true; I thought I would share a few of them.  If you have an opportunity, this is a paper well worth its cost.

One of the key points of the Forrester paper is that PCI was the result of a failure in corporate governance.  Forrester correctly points out that had organizations focused on keeping cardholder data properly secured in the first place, the PCI DSS probably never would have existed.

I can confirm that corporate governance is a root cause from my own experiences.  We talk a lot to organizations that think PCI is someone else’s problem and that their organization is being singled out.  In a lot of these organizations, security has been given the short shrift and has been perpetually on the back burner.  In these organizations, senior management sees security, and IT as a whole, as a money pit that does nothing for the organization.  This is because senior management is ignorant to what IT and security brings to the table because they have hired security and IT leaders that are mice that are occasionally seen, but certainly never heard.

The card brands have never been shy about why they generated the PCI standards; it was to protect their brands.  After all, when a breach occurs, it is almost always reported by the media as, “X number of Visa/MasterCard/American Express/Discover credit cards were disclosed by ABC Company.”  The card brands are always called out first, followed by the company and, if the company is a franchise operation, sometimes the franchisee is named.  The problem is that the general public typically only remembers the card brand names, sometimes the company name, and usually never remembers the name of the franchisee.  Want proof of this, just look at how badly TJ Maxx, HomeGoods, Marshalls and the like suffered after their parent, TJX Companies, incurred one of the largest breaches in history two years ago – NOT!  In a public relations coup, TJX Companies got the media to use TJX as the name of the breached organization which protected the brand names of their actual retail outlets.  As a result, sales at their retail outlets were only slightly affected by the breach news.

Another point that Forrester brings up is that naysayers point to the fact that PCI compliant companies have been hacked, therefore the PCI standard must not be effective.  As I have argued time and again, PCI compliance is not a one time, annual thing.  Compliance requires consistent execution of all of the PCI DSS requirements in order to remain compliant.  Consistent execution is a struggle for even the most diligent organizations.  It requires constant commitment by employees and management to the importance of doing security right all of the time.  The problem is that we are all human and humans are fallible.  So lapses will occur in any organization.  This is why all security frameworks are built on the concept of overlapping controls so that should a control go out of compliance, the whole house of cards does not come down.  What differentiates a good organization from a bad organization is that a good organization does not have so many lapses at once that entire control structures fail.  If you read the reports from TrustWave and Verizon Business Services on breaches they have investigated, a significant portion of those breaches were the result of systemic failures of the control environment.

Related to the previous point is another good point made by Forrester that the PCI standards are just a baseline and that organizations must go beyond the PCI standards to be as secure as they can be.  The PCI DSS is just the ante to be in the game.  If you want to be certain, you need to go beyond what the PCI DSS requires.  Why?  Because new flaws are discovered in software or new techniques are developed that make prior security methods obsolete or no longer as effective.  As a result, your security systems must adapt or new security methods need to be developed to detect and circumvent these new threats.  The PCI standards may address these new threats in a future version, but it is your organization’s responsibility to deal with them first.  This is also why most security experts say that security is a journey, not a destination.

One point of contention I have with this report is that they state, “Companies that already have robust security policies, processes, and technology do not have difficulty with PCI.”  Having worked with a number of organizations that meet these criteria, I can attest that this is not necessarily the case.  A lot of them have very robust security policies, processes and technologies; however, the day-to-day consistent execution was haphazard at best.  Management believed that they were in pretty good shape for meeting the PCI standards.  As we pealed the onion on their security environment, it became obvious that all management was seeing was a facade of security.  Security people said all of the right things and their policies and procedures said all of the right things, but the actual execution was not even close to consistent.  As they like to say, “They talk the talk, but they do not walk the walk.”  As a result, these organizations have struggled to change ingrained cultural issues and “bad habits” that can be much tougher to deal with than implementing new policies or technologies.

Finally, the next time you hear someone say that they feel PCI standards are not fair or they are impossible to comply with, ask them if they think they can afford a breach?  The best tidbit offered by this Forrester report is their estimated cost per account of a breach.  Forrester estimates that a breach costs between $90 and $300 per account breached, excluding lawsuits and any remediation efforts.  A modest breach of say 100 accounts carries an estimated cost of $9,000 to $30,000, excluding:

  • Legal representation – you know that your organization will be sued or threatened to be sued over a breach and that will require your lawyers to go into action.  If you think lawyers are cheap, thing again, particularly when they are fighting a lot of battles;
  • Public relations – just as in politics, your organization will have to put the best face on such an incident.  If your organization does not, the media will provide that “face” without you and it likely will not be a “good face”;
  • Investigation – the card brands will require a forensic examination to be performed.  If you think lawyers are expensive, the costs related to a forensic examination will make you believe your lawyers are cheap;
  • Remediation – there will be changes required to better ensure security and some of those changes will likely have a cost associated with them.  Only the lucky get away with policy or procedural changes with a minimal cost; and
  • Loss of sales – your organization will lose customers over this lost of trust and future sales may also be affected if you did not adequately address the public relations aspect.

There are likely other events that will result from such an incident that will also cost your organization time and money.  The bottom line is that this is something your organization should avoid at all costs because, in my experience, most organizations do not survive such an incident.


3 Responses to “PCI Feels Like Something Is Being Done To Me”

  1. 1 Mister Reiner
    August 9, 2010 at 2:22 PM

    This is because senior management is ignorant to what IT and security brings to the table because they have hired security and IT leaders that are mice that are occasionally seen, but certainly never heard.

    Interesting perspective.

    You’re not implying that non-mice turn into mice, are you? In general (any industry), I always thought senior management intentionally hired a mouse because they want someone less vocal that will comply with management’s desire to ignore the requirements. Vocal security and IT leaders are often seen as dissenters that are not team players.

    Outside of the payment card industry, I know that senior management aren’t always as ignorant as they appear to be and often play games with auditors to see if they can negotiate (weasel) their way through a compliance or IT audit.

    Even if senior management isn’t reading the handbook, you know that the accounting and auditing departments are reading it, even if they don’t understand all of it. Are people in these departments your fiend or foe?

    And lastly, perhaps you should carry the following book around with you when you visit an organization. If you really get frustrated with them, you can toss a hard copy edition on the table as you leave. I think it will leave a lasting impression. 😉



    • August 9, 2010 at 3:16 PM

      I had a boss a number of years ago say to me that, “The hardest thing you will ever do in your professional life is to hire someone smarter than you.” He explained that while when you do hire someone smarter than you, you typically achieve just as much because you knew to hire the person. However, you also run the risk that the person you hire will surpass you because of their “smarts.”

      As a consultant, you meet people in positions of leadership where you are dumb founded as to how they got to that position. 9 times out of 10, it’s because the executive(s) above them want to ensure that it is their show and all about them and not worrying constantly that they hired someone that will show them up. Unfortunately, it’s the executives’ insecurities that drove the hiring/promotion decision process, not an individual’s capabilities and so you end up with mice instead of leaders in these positions.

      There is also the situation that existed in some companies that security was like business continuity planning and “special projects”, just a position to be filled by someone who had done something for the organization in the past, but no longer delivered results and management just couldn’t bring themselves to terminate. Therefore, these people were moved into positions that management deemed they could do little harm filling them with these people. Now with security and BCP being important, these people that got slotted in these positions need to step it up a bit and just do not have the skills to do that.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

June 2010

%d bloggers like this: