Welcome to the new year. I hope the holidays have been treating you well and the coming year is good as well.
There have been a number of articles written about why and how the PCI compliance process will die. It is not that I look forward to the PCI standards dying as they have brought a needed visibility to information security and privacy as well as the fact that PCI keeps me gainfully employed. However if things stay on their current trajectory, the PCI standards will eventually die, but not for the reasons being quoted in today’s articles. The real killers of the PCI compliance process will be the card brands and the PCI Security Standards Council. Yes, the very folks that brought us the PCI standards will bring the ultimate demise of their precious set of standards.
The first death knell I see is that it is very easy to issue edicts from on high when you do not have to implement them. Over the years, clarifications have been issued, quality assurance reviews performed, forensic examinations conducted and a host of other activities have resulted in “enhancements” to how the PCI standards are assessed and enforced. Do not get me wrong, a lot of what has been done was needed and appreciated.
However, by the same token, some of what has come down has been a nightmare to implement. Any QSAC not using some sort of automated system to conduct their PCI assessments will find it impossible to meet the current and any future documentation and tracking standards now required by the PCI SSC’s QA process. Under the current standards, QSACs need to document who they interviewed and what the persons were interviewed about as well as tying documentation and observations to the tests performed. Without some sort of automated process, these requirements are just too intensive to perform manually.
Documentation received and reviewed needs to have its file name, date of issue and a description of its purpose in the PCI assessment process documented. The basic PCI DSS has a minimum of around 200 discrete documents that are required for the PCI assessment process. The average we see for most of our engagements is over 600 documents which also include not only policies, standards and procedures, but configuration files, interview notes and observations such as screen shots, log files and file dumps. You really have to question any QSAC that tells you they manually manage the process. They either have an amazing and magically efficient project management process, they have very, very inexpensive staff (i.e., overseas labor) or they are short cutting the processes and producing a work product that does not comply with the PCI SSC QA program and have yet to be assessed by the PCI SSC (the most likely scenario).
Even using simple SharePoint or Lotus Notes solutions are not cheap when you consider the cost of the server(s) and the storage of all of documentation collected, which can be around 5 to 10GB per project, as well as all of the requisite system maintenance. Servers and storage may be cheap, but it all adds up, the more clients you assess. And speaking of the storage of documentation, the PCI SSC requires that documentation related to PCI assessments be stored for at least three years. For those of us with electronic work paper management systems, this is not a problem. However, given the amount of paper generated by these projects, those QSACs using the traditional paper filing methods will find a lot of shelf space taken up by their PCI engagements if they are truly following the procedures required by the PCI SSC.
All of this drives up the cost of a proper PCI assessment, more than I think the card brands and the PCI SSC are willing to admit. It is not that I think the card brands and PCI SSC do not care about this situation, but more related to they do not have an understanding of the operational ramifications of their edicts. The card brands and PCI SSC tread a very fine line here and to this point they have been heavy handed in the issuing of their edicts. Going forward, the PCI SSC needs to ask the QSACs, Participating Organizations and ASVs to assess the cost and time impacts of these edicts so that they can be weighed against their benefits versus what is done now which is more of a procedural and proofing review. If this is not done, there will soon come a point where merchants and service providers will push back hard and refuse to go through the process due to the cost and the amount of time involved to be assessed.
The next death knell is the inane process that is called the PCI Report On Compliance (ROC). When the PCI SSC did not have access to the QSACs’ work papers, the current ROC writing process made some sense as there was no other way for the PCI SSC or the processors and acquiring banks to know if the QSACs had really done the work they were saying they had done. However, all of that changed a number of years ago when the PCI SSC required QSACs to add a disclaimer to their contracts stating that the PCI SSC had the right to review all work products. Yet even with this change, we continue to have to write an insanely detailed ROC, typically numbering in a minimum of 300+ pages for even the most basic of ROCs.
Unfortunately, there are QSACs out there that apparently have not been through the PCI SSC QA process and that dreaded of all states – Remediation. As a result, they have much lower costs because they are not documenting their assessment work as completely as they need to and are not sampling, observing or interviewing like QSACs that have been through the QA process. In addition, based on some work products we have seen, they also do not care about the quality of the resulting ROC as it looks entirely like a ‘find and replace’ of a template and makes no sense when you read it. In talking to other large QSACs that have been through the QA process multiple times, the PCI SSC has indicated that they are monitoring the large QSACs more than the little QSACs because there is more risk with the large QSACs. While true to an extent, we have encountered a number of smaller QSACs that perform assessments for large clients due to their much lower cost structure and their willingness to ‘overlook’ compliance issues. If the PCI SSC does not go after these QSACs soon, there will likely be a number of breaches that occur due to the QSACs’ lack of diligence in performing their assessments.
I know of a number of QSACs that would like to see Bob Russo and the representatives of the various card brands to actually work as staff on a few PCI assessment engagements so that they can better appreciate the inordinate amount of work involved in generating a ROC. I think they would be shocked at the amount of work effort they have driven into a process that is already too complicated and prone for error.
As it stands today, the ROC writing, review and proofing process is probably 50% to 60% of a good QSAC’s project costs. To address this, the PCI SSC QA group tells QSACs to develop one or more templates for writing the ROC which, from what we have seen from some other QSACs, means a lot of mass ‘find and replace’ to speed the ROC writing process. For the last few years, a number of QSACs have brought the ROC writing process up at the Community Meetings. However the card brands continue to shoot down any sort of changes to the process. As a result, the cost of producing a ROC is driven by the size and complexity of the merchants’ or service providers’ cardholder data environment (CDE). These costs will only continue to rise as long as the PCI SSC does not allow QSACs to mark items as ‘In Place’ with only a check box and rely on the QSAC’s work papers versus the verbosity required now. If this sort of process can work for financial auditors, it can work here as well.
A third death knell is the PCI SSC and card brands continuing to quote that the majority of breaches are the result of organizations not complying with the PCI DSS. In discussions with a number of the PCI forensic examination companies, I am hearing that the card brands cannot believe the fact that more and more organizations were PCI compliant at the time of their breach. The PCI SSC and card brands have apparently convinced themselves that the PCI standards are “perfect” and they cannot imagine that an organization could be breached unless that organization was not complying with the PCI standards. There is no security standard that I am aware that totally prevent breaches. So while the PCI standards are good baseline security standards, the card brands and PCI SSC seem to have forgotten that security is not perfect and that any security standard only minimizes the damage done when a breach occurs if the standard is truly followed.
And as organizations have gotten the PCI “religion,” the effort required to compromise them from the outside via traditional attacks has increased significantly. As a result, successful attackers have changed strategy and work on social engineering their way past the bulk of an organization’s security measures. The PCI DSS only has a little bit on social engineering in requirement 12.6 regarding security awareness training. And even those organizations with the most robust of security awareness programs will tell you that, even after extensive security awareness training, human beings are still fallible and that some people still do very questionable things that continue to put organizations at risk, sometimes significant risk. Even when you have the most diligent of employees, they still make mistakes in judgment from time to time.
Until the human element can be totally removed, there will always be a certain amount of risk that will never go away. Again, the PCI SSC and card brands seem to not want to acknowledge the failings of the human element and appear to believe that technology is the savior based on the focus of the PCI standards. However time and again, every security professional has seen very sophisticated security technologies circumvented by human error or just plain apathy towards security (i.e., “it always happens to someone else, not my organization” or “we’re too small to be a target”).
Until the PCI SSC and the card brands drop the “holier than thou” attitude toward the PCI standards and stop the public pillory of organizations that have been breached, there will continue to be editorial commentary regarding the pointlessness of the standards and ever more serious push back to complying with the standards.
These are the reasons why the PCI SSC and the card brands will be the ones that will kill the PCI standards. At the moment, they are so far removed from the process; they do not understand how complicated and expensive the process has become which is why merchants and service providers are complaining about the ever increasing costs and effort related to the PCI assessment process.
The PCI SSC and card brands also seem to have forgotten that QSACs have to make money doing these assessments and, when you pile on clarifications and edicts that do nothing to streamline and simplify the process; you are only driving the costs of the process higher. And higher costs only make merchants and service providers, who are on thin margins to being with, even more incentivized to use the much lower cost QSACs, driving the diligent QSACs out of the market, thus increasing the likelihood of breaches.
Again, it is not that I want the PCI standards to go away as I think they have brought a real benefit. However, if these issues are not addressed, the PCI standards will end up going away. I fear that, with them gone, there will be no carrot to ensure the security of cardholder information and we will end up back where we were before the PCI standards existed.
