Friday, March 19, 2010

Compliance: PCI in a very small nutshell

I am certified as a Payment Card Industry (PCI) Qualified Security Assesor (QSA). I am frequently paid to perform PCI audits, to advise people on how to fill out their Self Assessment Questionnaire (SAQ), and how to identify and remedy gaps in security that would prevent them from complying.

Previously, I’ve written about identifying risks and handling them. I’ve asserted, indeed my fundamental thesis in this blog, is that risk management is something everyone does; and that if done mindfully and consciously we live happier and better lives personally and professionally. That never means there aren’t complications and challenges to face, and today I’m writing about one of them.

It should come as no surprise that if everyone evaluates their own risks, different people come up with different risks and ideas about how to manage them. A cost may be acceptable to one person, but not another. Worse, the price one person may be willing to pay to mitigate a threat may itself be the threat someone else is trying to manage. For example, there have been plenty of people willing to sacrifice some amount of their civil liberties in order to mitigate the risks associated with terrorism, drugs, what-have-you; while others see “We might lose some civil rights” as a great big threat. Obviously, different people’s risk management interact with one another, and that interaction has to be mediated. As a society, we have developed a number of tools for this purpose – government for one. Compliance is another.

Compliance is a how someone requires someone else to manage risk to their satisfaction. The regulating body defines a standard that the regulated body must meet in order to avoid some penalty. If the regulating body is a government, that penalty may be a fine, jail time, revocation of business license. In the U.S., it can also be loss of access to other government regulated bodies, such as stock markets. With the PCI DSS, the penalty is being on the business end of a great big risk assignment and the right to take credit cards – a pretty compelling case to any business that needs to accept credit cards in order to have customers.

You may recall that there have been quite a few credit cards stolen from online businesses over the last decade or so. Generally, this has been possible because the business’s security program didn’t provide enough protection to credit card numbers. Every time that happened, banks were impacted because they had to cut a mighty big check in order to replace all the compromised credit cards, keep on the lookout for fraudulent card use, etc. The PCI Data Security Standard (DSS) is how credit card companies manage their risk. Worse, every time that happened, the public’s confidence in credit cards got a little shakier. I’m sure you remember a time when you wouldn’t have dreamed of using your credit card to buy something on the Internet. If you’ve been the victim of identity theft, you may well still feel a twinge of lingering pain when you use your new card – if you’re willing to use it online at all. Banks only make money on credit cards if people have them and use them, so this rapidly became a huge risk. The PCI Data Security Standard (DSS) is how credit card companies manage their risk. It tells anyone who handles their customer’s credit card data what they must do to protect it. The incentive to meet that standard is to avoid fines, avoid losing the right to accept credit cards, and avoid being assigned all the costs associated with that information getting stolen – if a merchant or service provider is compliant and the bad guys still make off with the card information the banks agree to eat it. All the merchant or service provider has to do is comply and they’re home free. This should be an easy call when the merchant or service provider does its risk management: The impact of a fine that doubles every month is big, the risk of losing the right to take credit cards might mean someone closes down tonight, and TJX has pad to pay upwards of a quarter billion-with-a-b dollars for their breach. Compliance is an easy call, right?

You knew better than that. Several years later, there’s be quite a bit of controversy about the standard within the security industry. Compliance isn’t cheap, and that cost can be just a big a threat to a small business as the risk that’s just been assigned to them as part of the card merchant agreement if they don’t comply. It’s shifted the risk analysis the merchant or service provider is doing. Worse, in this economy infosec budgets are shrinking anyway. That means that this expensive compliance effort might just soak up the entire budget that the CISO had been hoping to use to mitigate another risk. Nor do compliance requirements generally let IT executives off the hook to their bosses to spend their finite time and effort on projects that actually generate revenue.

These are real concerns, and they’re just the tip of the iceberg. But they needn’t send businesses running back to taking cash and checks only. IT and InfoSec people can also use these concerns, and the road by which so many companies have come to the horns of this dilemma, as an opportunity. It’s largely a matter of understanding what PCI is and isn’t , of making sure the boss understands it, and welcoming it as an opportunity to live more mindfully rather than a wound in need of a band-aid. Next time, I’ll talk the risks of PCI compliance and how to avoid them.

Have you encountered PCI in your work life? What are your experiences? What headaches did you find and how did you handle them? I’d love to hear about it.