it is still not time for pci dss to die

Saw an article saying that Arby’s has reports of a mid-January data breach of more than 350,000 credit and debit cards. This echoes a breach from 2016 by Wendy’s. I would link to this article, but it’s not necessarily a source I usually look at. If I find this mentioned elsewhere, I’ll add the link. If true, I’m at least interested in the short gestation time for that malware being present and someone noticing it! (Just like every breach, I’d love the full, un-redacted story from infection to discovery so I can gauge how truly impressed I may or may not be.)

One comment I noticed was asking if it’s time to ditch the useless PCI framework and get back to real security?

That’s a good question, and an easy answer for any company that is already enlightened about digital security.

But many are not, and PCI has been the only driver for any type of interest in security. Granted, those companies may still just be filling the checkboxes of the PCI requirements and not really doing much of anything of real ongoing value, but it does do a few things.

First, it mandates pen tests and third party examinations of an environment. You’re still only getting what you pay for, but this could at least expose some low hanging fruit.

Second, it gets a few extra tools in place that a company may normally not even bother with, such as IDS/IPS and code reviews or a WAF or firewall rule reviews. How many SMB environments run any sort of vulnerability assessment internally if they’re not asked to by a regulation? Very few. And those reports expose many small and large issues that can be fixed for little effort and high value.

Third, some of these checkboxes are in part driving the UTM market and other conglomerated boxes that combine many tools into one pane of glass and management umbrella. This is (arguably) good for everyone, and especially so as prices go down (a little) and quality goes up (a little), especially in comparison to an environment that just has outdated Antivirus, an old firewall, and nothing else.

Security efforts (and even things like making sure backups are successfully created) are things that almost always fall into second place behind revenue-generating events or tasks that support revenue generation. They just get done “tomorrow.”

We also need to remember that PCI DSS was created more to cover the butts of the card processors than it was to protect merchants and end-users. It’s also not the ultimate answer to security; it’s a framework that needs to be implemented properly for an environment and continuously effective. So maybe crying about the state of PCI isn’t even the correct place to be looking.

And no discussion of this topic would be complete without diving into the world of cyber/data breach insurance. If we don’t want to abide by rules, maybe we’ll just start eating the costs and call it part of business lumped into the insurance payments.

And lastly, it’s our duty in security to accept that axiom that breaches are inevitable. Even if you have a great security team or follow PCI DSS to the letter, you still have to assume a breach will occur. Hopefully many are prevented and the successful ones are detected and mitigated quickly.

If someone wants to say PCI DSS is useless, I’d really want them to offer up alternative solutions that can be applied to enterprises in many industries and or many sizes. Don’t just say, “Do *real* security now.”

Leave a Reply

Your email address will not be published. Required fields are marked *