“Better to remain silent and be thought a fool than to speak out and remove all doubt.” Abraham Lincoln
What is your organization interested in? Security or checking a box?
Not surprisingly, most people answer “security” and then go on to prove with their actions and words that they are only interested in checking a box.
For all of you out there that argue ad nausea about the meaning of PCI DSS testing requirements and the requisite documentation are interested in one thing and one thing only; checking a box. I am not talking about the few that have honest differences of opinion on a few of the requirements and how a QSA is interpreting them and assessing them. I am talking about those of you that fight constantly with your QSA or acquiring bank on the process as a whole.
If you were to step back and listen to your arguments, you would hear someone that is splitting hairs in a vain attempt to avoid having to do something that would improve your organization’s security posture. In essence, you want to only be judged PCI compliant, not actually be secure.
To add insult to injury, these are also typically the people that argue the most vehemently over the fact that the PCI DSS is worthless because it does not make an organization secure. Wow! Want to have your cake and eat it too! Sorry, but you cannot have it both ways.
Everyone, including the Council, has been very clear that the PCI DSS is a bare minimum for security, not the “be all to end all” for securing an organization. Organizations must go beyond the PCI DSS to actually be secure. This where these people and their organizations get stumped because they cannot think beyond the standard. Without a detailed road map, they are totally and utterly lost. And heaven forbid they should pay a consultant for help.
But I am encountering a more insidious side to all of this. As you listen to the arguments, a lot of you arguing about PCI compliance appear to have no interest in breaking a sweat and doing the actual work that is required. More and more I find only partially implemented security tools, only partially implemented monitoring and only partially implemented controls. And when you dig into it as we must do with the PCI assessment process, it becomes painfully obvious that when it got hard is when the progress stopped.
“It’s supposed to be hard. If it wasn’t hard, everyone would do it.” Jimmy Duggan – A League Of Their Own
Security guru Bruce Schneier was speaking at a local ISSA meeting recently and when asked about why security is not being addressed better he stated that one of the big reasons is that it is hard and complex at times to secure our technology. And he is right, security is hard. It is hard because of our poor planning, lack of inclusion, pick the reason and I am sure there is some truth to it. But he went on to say that it is not going to get any easier any time soon. Yes, we will get better tools, but the nature of what we have built and implemented will still make security hard. We need to admit it will be hard and not sugar coat that fact to management.
Management also needs to clearly understand as well that security is not perfect. The analogy I like to use is banks. I point out to people the security around banks. They have one or more vaults with time locks. They have video cameras. They have dye packs in teller drawers. Yet, banks still get robbed. But, the banks only stock their teller drawers with a minimal amount of money so the robber can only get a few thousand dollars in one robbery. Therefore to be successful, a robber has to rob many banks to make a living which increases the likelihood they will get caught. We need to do the same thing with information security and recognize that breaches will still occur, but because we have controls in place that minimizes the amount or type of information they can obtain.
“There’s a sucker born every minute.” David Hannum
Finally, there is the neglected human element. It is most often neglected because security people are not people, people. A lot of people went into information security so that they did not have to interact a lot with people – they wanted to play with the cool tools. Read the Verizon, Trustwave, etc. breach analysis reports and time and again, the root cause of a breach comes down to human error, not a flaw in one of our cool tools. Yet what do we do about human error? Little to nothing. The reason being that supposedly security awareness training does not work. Security awareness training does not work because we try to achieve success only doing it once per year not continuously.
To prove a point, I often ask people how long it took them to get their spouse, partner or friend to change a bad habit of say putting the toilet seat down or not using a particular word or phrase. Never in my life have I ever gotten a response of “immediately”, “days” or “months”, it has always been measured in “years”. And you always get comments about the arguments over the constant harping about changing the habit. So why would any rational person think that a single annual security awareness event is going to be successful in changing any human habits? It is the continuous discussion of security awareness that results in changes in people’s habits.
Not that you have to harp or drone on the topic, but you must keep it in the forefront of people’s mind. The discussion must be relevant and explain why a particular issue is occurring, what the threat is trying to accomplish and then what the individual needs to do to avoid becoming a victim. If your organization operates retail outlets, explaining a banking scam to your clerks is pointless. However, explaining that there is now a flood of fraudulent coupons being generated and how to recognize phony coupons is a skill that all retail clerks need to know.
- Why are fraudulent coupons flooding the marketplace? Because people need to reduce expenses and they are using creative ways to accomplish that including fraudulent ways.
- What do the fraudulent coupons do to our company? People using fraudulent coupons are stealing from our company. When we submit fraudulent coupons to our suppliers for reimbursement, they reject them and we are forced to absorb that as a loss.
- What can you do to minimize our losses? Here are the ways to identify a fraudulent coupon. [Describe the characteristics of a fraudulent coupon] When in doubt, call the store manager for assistance.
Every organization I know has more than enough issues that make writing these sorts of messages easy to come up with a topic at least once a week. Information security personnel need to work with their organization’s Loss Prevention personnel to identify those issues and then write them up so that all employees can act to prevent becoming victims.
Those of you closet box checkers need to give it up. You are doing your organizations a huge disservice because you are not advancing information security; you are advancing a check in a box.
PCI Guru 
So I have a question. If a given organization is not compliance to say requirement 12.9 and requirement 8.1.6.b and the ROC says not in place, does this means that the QSA will not issue a attestation of compliance to a given organization ?
The game of either you are compliance or not compliant like Yes or No is where most of the organization don’t like PCI DSS.
A quick feedback would be appreciated.
Cheers!
Colin
Regardless of compliance or non-compliance, a QSA or organization can issue a ROC/SAQ and AOC. This is a myth in the PCI compliance business. While it is easier on the acquiring bank and the merchant/service provider to have a fully compliant ROC/SAQ, you can also have a non-compliant ROC/SAQ. When a ROC/SAQ is non-compliant, the acquiring bank is required to periodically monitor the merchant’s/service provider’s progress on remediating their issues. This typically involves monthly or quarterly status calls and possibly site visits by a QSA. A non-compliant ROC/SAQ can also result in fines being assessed. Once compliant, banks typically request that a QSA go on site and validate the remediation is complete and that the requirements in question are now compliant.
When non-compliant, the last page of the AOC would indicate those sections that are not compliant (i.e., the ‘NO’ box would be checked), the reasons why those sections are not compliant and a proposed date when those sections would be compliant would be documented in the Comments column for those sections. In your example, sections 8 and 12 would be marked ‘NO’ and you would be required to comment on those sections and provide dates for expected compliance.
To me, fighting the checkbox mentality is an all but impossible battle to win because PCI itself is a list of checkboxes. No matter how security conscience you are, whether you go the extra mile or only do the minimum, once a year you have to go through the checkboxes process – be it an SAQ or an interrogation by your QSA. While PCI compliance should be a byproduct of your security, in reality both boil down to checklists (boxes) and hence the checkbox mentality. I thoroughly understand minimum vs. secure, but without a checklist how do you determine either? Kind of a Catch-22.
Making the process checking a box takes the QSA and the organization being assessed. Compliance ultimately comes down to your organization is either following the rules or not – a binary yes or no. However, getting to the yes/no requires that a QSA examine policies, standards and procedures and testing to ensure that all of those policies, standards and procedures are actually being used, i.e., walking the walk versus talking the talk.
Awesome post; you definitely strike the nerve of one of the biggest cultural challenges faced by QSAs around merchants; sadly some of our own (QSAs) also have a “checklist mentality” around the standard.
Just doing v3 for the first time right now (fourth year overall). Over 80% of what QSA asked for, is documentation change which has no effect on real world security. Exercise is losing credibility real fast now…..
Sorry to hear your comments on v3. In reviewing v3, I found a lot less “wiggle room” for QSAs in their testing and what was required to prove that testing was done. It does not sound like your QSA is doing much testing. Maybe you need to change QSA companies and get some real testing done.