Cenzic 232 Patent
Paid Advertising
web application security lab

Why PCI Is Good For Business

Time to take a step back and look at PCI. We all know and love it, or love to hate it for various reasons, but I’d like to go back to the roots of it all and ask one question, “What is PCI for?” The simple answer that I can get on board the most with is that it’s to promote spending by increasing consumer confidence. So the obvious goal is to reduce account take-overs, and information disclosure wherever possible - not necessarily to eliminate it, but to increase buyer confidence by lowering the statistical probability that they will be compromised by purchasing online.

I’ve always been an advocate of increasing the potency of PCI by making it more stringent for which I have been told I am anti-business. Not exactly. Let’s use an example. Let’s say I’m mega huge company-A and I follow every security restriction on the planet that I can to ensure that data isn’t leaving our site, but meanwhile mega huge company-B is doing nothing, or the bare minimum. Since we will most likely share a great deal of users if we have any amount of web presence company-A is now at the mercy of company-B. Users tend to use the same passwords, answer the same answer to secret questions and so on, so once a user on company-B is compromised, they are also compromised on company-A. Same exploit another day.

I remember a long time ago there was one of those giant worms going around where the solution was easy enough - egress filtering. You couldn’t stop it ingress, but if you and everyone else blocked egress the worm would stop spreading. But how as an IT administrator can I tell my management that we need to do egress filtering, which will do little to nothing for the worm as it stands at the moment, but will stop us from infecting other people? It’s a tough sell. Yet, it’s a similar problem. My security directly impacts a lot of people who read this site, whether they want it to or not, and therefore it also impacts their businesses and their personal lives which bleed onto many other sites. If I were to have a major 0-day exploit on this site, it would be a problem, not just for me, but for everyone who visits the site who would be vulnerable, and any sites they then use.

So PCI, while not an easy sell and even tougher for people who lack a sense of altruism, has the potential of solving a lot of problems with an amendment of more stringent requirements. Yes, it’s tough on companies now, and yes, they will often go to the low cost solutions as a result, but raising that bar actually has the potential to improve consumer confidence. That’s the theory anyway. Perhaps in practice we’ll find that the end result is that we’ll stop seeing small hacks and start seeing a lot more huge ones to make up the difference in any improvement in security since we all know we can’t be 100% perfect in security. It’s an interesting case study anyway.

14 Responses to “Why PCI Is Good For Business”

  1. ChrisP Says:

    Interesting reading as always.

    I’m wondering though whether a hardened version of PCI (let’s call it hPCI) could address the issue of users registering across several websites using similar characteristics (uname/pwd/secret phrases/etc.) thereby allowing potential collateral damage in case of a breach at one site.

    This assumes implementing all hPCI guidelines nullifies the risk of data leakage, which I don’t see as plausible unfortunately. Unless maybe hPCI mandates businesses send fingerprint readers to their consumers as a 2nd authentication factor (the 1st one being an iris scan) ;)

  2. MikeA Says:

    Sorry RSnake, even though I agree with you on a lot of things, PCI obviously isnt one of them :) HackerSafe/ScanAlert certainly is targeted to what your main point is (consumer confidence rather than security), but that’s something for a totally different rant :D

    PCI is just a CYA “standard” imposed on merchants by visa/MC. IMNSHO, it’s simply a way of pushing a limited set of security requirements on merchants so that they can say “well, we said you should be ’secure’, but ovbiously you are not, so it’s not our fault data has been leaked” and allows them to have a level of due diligence.

    There’s pressure to keep the standard as simple/basic as possible to a) provide “wiggle” room for PCI (so if there is a breach, a merchant might find it difficult to claim total “compliance” as their own CYA) and b) to not have a burden on merchants (as we know, “real” security is expensive and complicated).

    That’s not to say that PCI is totally worthless - it at least mandates a minimum amount of security, and the network-side of the standard isnt half-bad. The application-side however leaves a lot to be desired and IMO hasnt got any better in years.

    ChrisP: Mark Curphey is leading (via OWASP with a group of other people including myself) such a project and is a bit of a resurrection of something I started a year or so ago (and got a lot of pushback from Visa/MC that I wont go into). It’s slowed recently because of work commitments, but hopefully it will give a much better set of recommendations than regurgitating the OWASP top 10 from 2004(without any guidance of how/why should should be testing such things)

  3. RSnake Says:

    @MikeA - I disagree that the low cost ASVs are meeting the consumer confidence quotient (at least not yet). It would take a lot more work by all ASVs to get security to the level and prevalence to where it would actually impact bad guys in any shape or form - and thereby impacting global fraud numbers. Right now it’s causing little to no impact.

    But if you are correct that the real intent of PCI is to offset liability from Visa/MC and the member banks onto the merchant that is an entirely separate issue. Previously chargebacks were the way to go, but if that’s not working, perhaps PCI is a bigger stick.

  4. cyberlocksmith Says:

    My opinion of PCI has pretty much flipped 180 degrees to where now I see it as a good (read necessary) evil whereas before I did not like it because I thought it fell too far short of what merchants *should* be doing.

    The bottom line is that if we “left this to the market” to decide what to do or to the vendors to “self police themselves” then nothing would ever get done and users would be worse off than they are now.

    Whoever does not like PCI needs to ask themselves whether the users are better off with it or without it and the answer is clearly that users are better off with it than without. Opponents certainly have valid arguments that PCI may fall short or that it needs to be doing more but I think even opponents of PCI would have a hard time making a convincing case that users are not batter off as a result of PCI. To confirm this all you have to do is read some of the TJX (TJMaxx parent company) emails that are now surfacing to understand that their motivation was not to protect the user but to make a buck at the user’s expense. In my opinion, the mental cost/benefit analysis that every executive goes though when deciding where to allocate capital has to include hefty fines if they do not act in the user’s best interests.

    Without user confidence in eCommerce, I suspect that many of us would be out of work.

    The bottom line to me is that PCI is not perfect and sure, it could be doing more but to say that PCI compliance is a bad thing is to essentially advertise one’s ignorance for what is truly in the best interests of users.

  5. MikeA Says:

    RSnake: I disagree that the low cost ASVs are meeting the consumer confidence quotient (at least not yet).

    I’m not saying that they *are* meeting the confidence quotent - more that they are targeting that aspect over security. It’s a subtle difference, but certainly there. Look at all the PR/marketing for these low cost ASV’s and it’s more about “consumer confidence”, and “sales conversitions” than *actual* security ;)

    cyberlocksmith: That’s why I said “Thatís not to say that PCI is totally worthless” - there’s certainly some benefit in the program. However, to my eyes it’s a CYA activity, and if it was really meaningful it would increase the requirements to a level that we *know* you get some real benefit. For me, the network side offers at least a workable set of requirements, but the application side is really lacking (and there’s where a lot of the issues are today IMO).

  6. RSnake Says:

    @MikeA - gotcha, and yes, I agree, it’s at least partially about CYA and partially about sales conversion - not about being secure. In fact I’ve heard a few companies tell me that when a customer comes to them saying they want to pass a PCI audit they tell them to go find a low cost ASV (they throw away the business) because they know the customer won’t like what they find, and ultimately they won’t get what they want out of PCI compliance. Clearly that wasn’t the intention of PCI.

  7. Jeremiah Blatz Says:

    You’re right, Mr. Snake :-), minimum security standards are not only good for business, they’re what business wants. Back when helmets were not required for pro ice hokey, most players wanted a helmet requirement, but didn’t wear helmets themselves. See, not wearing a helmet gives you an edge (you can see better), but it also keeps you from getting hurt as badly. So, players couldn’t justify wearing a helmet unless everyone else was wearing a helmet. Similarly, today most drivers want laws that prevent people from driving stupid big SUVs on the road. However, they go and buy SUVs. They think that driving a SUV makes them safer, but recognize they’d be safer still if nobody was driving them.

    Back to security. The merchant does not bear the full cost of a breach (probably the aggregate cost to their customers is greater). Furthermore, the chances that they’ll be compromised are quite small. As such, most would choose the slim chance of getting 0wn3d as opposed to the guaranteed cost of fixing their damn site. If everyone was required to fix their damn site, then there’s no competitive disadvantage, and they’re protected from that slim chance of an incident.

    The problem, of course, is that it’s possible to meet PCI without fixing your damn site. It’s like requiring helmets for ice hockey, but allowing players to meet the helmet requirement with a trucker cap. Everyone wears the trucker cap and is just as likely to get their face broken by an errant puck. That’s a problem with the particularities of the rule, not with the idea of the rule. So, I guess, PCI is good for business; current PCI compliance processes and standards are bad for business. The only wake to make PCI good for business is to strengthen the requirements.

  8. Jeremiah Blatz Says:

    (Err, I mistyped. Not wearing a helmet lets you see better, but *wearing a helmet* protects your beautiful face. And the only *way* to make PCI good for business… Lact of proofreading FTW.)

  9. cyberlocksmith Says:

    Jeremiah Blatz: I love the hockey helmet analogy. I think it is spot on with respect to Information Security. Can I have your permission to ‘borrow’ the analogy sometime? =) It could make a fine arrow to add to my quiver. =)

  10. Jeremiah Blatz Says:

    CSL, you’re more than welcome to. I actually stole it from some eco-weenie mag that I got as part of my membership. They were using it to analogize with the SUVs, but the general “advantage threshold preventing anyone doing the thing that everyone wants to do” problem is everywhere, once you are aware of it.

  11. Drazen Drazic Says:

    PCI DSS has a way to go but in my opinion, it’s the closest thing (at least in Australia and parts of Asia Pacific) we have to some form of regulation of good practice. To be honest, most companies here have no clue about good security practice so PCI is hitting them hard thus the pushback and every excuse under the sun why it’s not good. That argument amazes me.

    It’s a good thing if done right. If not done right, it has the danger of making things worse by lulling a company supposedly “in compliance” into a false sense of security so to speak. Eg;

    1. Most or at least a good percentage of companies doing the SAQ rate themselves as compliant. WTF? We know that’s not true because on the sample of our clients, 1% would be compliant so how do we get figures of 60% upwards that some Acquirers are quoting.
    2. Dumb QSAs. Anyone can become a QSA if you have the money. The exam is simple and someone with little IT security knowledge who sits through a training session will pass. As a QSA we’ve gone into a number of clients who had previously been “passed”, only to find that they had major issues. The process to certify QSAs needs to be tougher. The PCI Standards Council may argue that this will lower the number of QSAs and endanger the program - so what do you do?
    3. The ASV value add argument is an interesting one? We were an ASV at one stage but as the standard seemed to drop in terms of what was required to be performed/tested, so we dropped off that list and left it to the likes of Qualys (Good for what it does) and another previously mentioned in this thread (Bad). The reason we were given that more detailed app level review was now out of the quarterly scanning came down to businesses being able to afford to engage an expert organisation to do it. (Still, a level of detailed testing is required at least once a year anyway).

    I am a big supporter of PCI because as I said, it’s probably one of the best things out there at present but it isn’t a silver bullet to making the world secure (nor are the plethora of “security” products being released daily with the sales spin to being able to solve all a company’s problems). I rant quite a bit in Beast or Buddha about PCI if anyone is interested. (No, not a blatant bit of marketing).

    Nice thread Rsnake.

  12. Mark Palmer Says:

    What is more important overall; being compliant or being more secure and compliant?

    A large gap in understanding why the PCI standards are “good” is where businesses are aiming.

    Businesses that aim for compliance are missing the real target by a mile. Businesses need to refocus their aim of PCI; a thoughtfully, uncomplicated, and well organized Information Security Program.

    When aiming for information security instead of just PCI compliance (or other regulatory requirement, e.g., SOX, HIPPA, etc….), additional business benefits are gained like cost justification, productivity, base-lining, and security awareness. When a business chooses to aim for Information Security they will be able to get compliant for free!

    The “basics” of information security are not propriety and work the similarly no matter the color of one’s hat or motivation;
    1. Identify & Classify your Assets - Know your assets
    2. Decide how to protect the assets and to what extent
    3. Define how information and data assets are managed
    4. Define what acceptable use is (this would, of course, depend on one’s business objectives)
    5. Define how vulnerabilities are assessed and managed
    6. Define how threats are assessed and monitored
    7. Define how security awareness takes place within the organization

    The thing about compliance is that it is a continuous journey and not a destination. Businesses that continue to focus PCI efforts as a project to be completed by some date in time are missing the point.

    The Hockey Helmet & SUV analogies are great. Thanks for sharing.

    Regards,
    Mark Palmer

  13. Drazen Drazic Says:

    Well put Mark - that pretty much is it in a nutshell. If you’ve got a good framework in place and are adhering to an ongoing program of good practice, you’re going to generally be or close to compliant to “anything” that comes out. It shouldn’t be a separate exercise for each new mandated framework or standard - it should be one program that may just need a bit of tweaking here and there for new things that may arise, but not a separate program.

  14. Joe Says:

    Hey guys, being “close” to compliant doesn’t cut it.

    I believe in protecting card data, but PCI is killing small businesses. Rules like only allowing one service per server pretty much gaurantees that many small businesses won’t be able to comply. Add to that the fact that most Cloud service providers won’t provide their customers with a binding contract indicating responsibility for card data, and small business has no hope. The cards are stacked against them.

    If card companies really wanted to solve this problem, all they have to do is provide merchants with a card data storage service. Then the merchant could just pass a token the the card provider and end card data flying around the Internet, or being stored at a milliion different locations. They won’t do that though becuase this is really just a money game. They are making tons of money issuing large fines and don’t want to loose that easy revenue. Providing a storage service would solve the problem, but that means they have to actually work for the money.