The Payment Card Industry published the Data Security Standard 11 years ago; however, criminals are still breaching companies and getting access to cardholder data. The number of security breaches in the past two years has increased considerably, even among the companies for which assessors deemed compliant. In this paper, the author conducts a detailed analysis of why this is still occurring and proposes changes companies should adopt to avoid a security breach.
The Payment Card Industry Security Standards Council (PCI SSC) published the Data Security Standard (DSS) to provide a minimum set of required security controls to protect cardholder data 11 years ago (Search Security, 2013).
According to Verizon’s PCI DSS Compliance Report, the number of organizations that are fully compliant at the time of interim assessment is growing rapidly each year. While the increase in organizations taking PCI DSS compliance seriously is important, there has been a rise in organizations’ data breaches.
There are still many misconceptions about PCI DSS compliance and its role in providing a reasonable level of security. Some of these misconceptions have driven organizations to reallocate resources into preventive controls while disregarding detective controls. The resource allocation strategy may provide a low rate of successful implementation due to misaligned operational and strategic goals which could results ineffective incident handling procedures and/or intrusion detection failures.
Organizations are being beached due to failure to implement the minimum set of security controls. This article will focus on the organizations which Qualified Security Assessors (QSAs) have deemed PCI DSS compliant.
2. Compliant but not Secure
One of the major misconceptions about PCI DSS compliance is PCI DSS-certified companies are secure or hacker-proof as vendors in the industry may carelessly advertise. In fact, according to Verizon’s PCI DSS Compliance report, only 29 percent of companies are compliant a year after validation. This means that many businesses are checking the boxes for PCI DSS compliance off their list, or even just implementing compensating controls, and then forgetting about it until the next audit is due. In 2013, Target was certified PCI DSS compliant weeks before hackers installed malware on the retailer’s network. Others such as Heartland Payment Systems suffered a major breach even though assessors deemed their company compliant for six consecutive years.
Either the PCI DSS is an ineffective security standard for protecting cardholder data or the organization’s implementation of PCI DSS is conceptually flawed in their approach. If PCI DSS does not guarantee security, what is the actual benefit of being compliant? Besides possibly providing some legal safe harbor, PCI-DSS compliance does not eliminate probability of payment data breaches.
PCI DSS includes security controls to deal with the most common risk scenarios and known attack vectors identified by the PCI SSC. Even though, PCI SSC continues to update the PCI DSS over the years, it’s virtually impossible for PCI DSS to anticipate every possible attack scenario. While PCI Security Standards Council is constantly working to monitor threats and improve the industry’s means of dealing with them, ultimately, it’s each organization responsibility to provide credit card data security.
3. Why Are PCI-Certified Organizations Being Breached?
Verizon 2015 PCI Compliance Report states, “Of all the companies investigated by our forensics team over the last 10 years following a breach, not one was found to have been fully PCI DSS compliant at the time of the breach” (Verizon, 2015).
Based on the statistical information collected by Verizon, it is reasonable to assume that organizations may have met compliance standards; however, the security controls were not sustainable or resilient after the initial certification assessment. There are multiple probable reasons why this may occur, and we could easily group these reasons into two major categories: reasons attributable to the organization and reasons attributable to the QSAs that are certifying these organizations.
3.1. Reasons Attributable to the Organization
3.1.1. Compliance program
Some organizations falsely assume that PCI DSS compliance is merely passing their annual assessments and obtaining certifications. These organizations are employing compliance efforts into a singular event; however, failing to maintain compliance is part of the organization’s continuous monitoring effort. It is not surprising that these organizations end up being primarily breached because of the deficiency of a mature compliance standard which address protection and security measures of cardholder data.
These types of organizations usually fail to:
- Identify all locations where cardholder data is stored and define their compliance scope accordingly
- Gain visibility and control of their payment channels that could result in unknown new cardholder data flows and repositories
- Monitor security controls and compliance periodically
- Provide adequate security awareness to all the organization’s stakeholders to ensure PCI DSS required security controls are understood and applied to all the system components in scope
- Fill out compliance self-assessment questionnaires without validating security controls
For example, Sally Beauty’s sysadmins were using a Microsoft Visual Basic scripts that contained their network administrator’s username and password (Krebs, 2015a). This insecure practice is in clear violation of PCI DSS requirement 8.2.1 which demands all credentials be rendered unreadable during transmission and storage on all system components (PCI SSC, 2015).
3.1.2. Unrealistic expectations
Organizations may have unrealistic expectations for their QSAs. For example, they expect their QSAs to:
- Understand the organization’s business processes and applications better than the organization’s staff
- Uncover all gaps and vulnerabilities
- Uncover all locations where the organization stores cardholder data
Even properly scoped assessments are limited by time and resources, and as such, in most cases QSAs can only review a sample of systems components. Making it impossible for a QSA to uncover all gaps and vulnerabilities. It is common for an organization that has previously been marked PCI-compliant to remediate newly unidentified gaps during an assessment cycle.
An experienced QSA may be familiar with typical locations where organization store cardholder data and he or she may be able to find data stored at offsite data repositories. However, it will be a difficult task for a QSA to trace all locations where cardholder data is stored unless the organization is using an automated access control system.
For example, Forever 21 retails, after a security breach blamed their QSA for failing to uncover undisclosed files containing cardholder data (Schuman, 2008). Unless this QSA was hired to conduct a data discovery process, it is unreasonable to blame the QSA for these undisclosed data repositories.
3.1.3. Human error
As it is widely known in information security domain, humans are considered the weakest link in the security chain subsequently organizations should anticipate that people may inevitably fail. Employees may fail to apply a security patch, misconfigure a security setting, fail to follow security policies and procedures, or may become susceptible to phishing attacks. Regardless of the security controls in position, cyber criminals are effective with exploiting the irrational elements of human nature.
For example, a district manager that kept his credentials taped to a laptop may have contributed to Sally Beauty’s security breach (Krebs, 2015a). This raises more questions about the effectiveness of Sally Beauty’s security awareness program and its compliance with PCI DSS.
3.1.4. Focus on preventive controls only
Many organizations focus their entire operational efforts on security breach prevention while overlooking the importance of resource allocation to the cybersecurity incident response plan for detecting, analyzing, prioritizing, and handling incidents.
If cyber-criminals are successfully exploiting traditional measures of trust to gain a foothold on cardholders’ data, then it is highly probable that organizations were unable to detect the intrusion, and/or regardless of the number of controls employed, the intrusion-detection capability were ineffective due to inadequate deployment of intrusion detection system (IDS) sensors.
According to the Verizon PCI Compliance Report, several breached organizations received alert notifications; however, some organizations failed to thoroughly investigate these alert notifications when such traffic occurs.
For example, Target confirmed that the cyber-attack vectors against their retailer’s point-of-sale (POS) systems triggered alarms and their information security team chose to ignore (Schwartz, 2014). Sally Beauty’s Tripwire solution fired warnings when the intruders installed malware on their point of sale systems. Either the cyber security team was not monitoring the alerts or they ignored the alerts altogether (Krebs, 2015a). In a similar case, Secure Pay’s web application security system triggered several alerts to block a specific external internet protocol (IP) address; nevertheless, cyber criminals were successful with exfiltrating the cardholders’ data. (Krebs, 2014a).
3.2. Reasons Attributable to the QSAs
Qualified Security Assessor (QSA) companies are independent security organizations that have been qualified by the PCI Security Standards Council to validate an entity’s adherence to PCI DSS. QSAs have certified non-compliant organizations that are nowhere near compliant which maybe highly attributable to the QSAs’ inappropriate methodologies and/or attributable to unqualified consultants. Even in these cases, it is important to understand that the role of a QSA in a PCI DSS assessment is not to conduct a complete discovery of all non-compliant issues. The QSA’s role is to provide an opinion on the compliance status of an organization based on the time allocated to interview the organization’s staff, review a sampling of system components, and analyze evidence provided by the organization.
3.2.1. QSA methodology
QSA’s methodology to conduct PCI DSS assessments may lead to certifying non-compliant organizations. Jennifer Bjorhus conducted several interviews with industry members who described the work conducted by the largest QSA company as “lax”, not accurate, “glaring with errors”, and poor quality (Bjorhus, 2014).
The following list illustrates cases where a poor methodology may lead to a flawed assessment:
- QSAs who rely mostly on their interviewees’ statements to validate compliance
- Some QSAs may accept their interviewee’s statements at face value. They do not realize that sometimes interviewees are not necessarily the most authoritative person to speak on a subject or that they may just assume that security controls are in place, and that sometimes interviewees may rely on what their staff has told them without validating those assertions themselves.
- QSAs who solely rely on evidence provided by the organization
- QSAs have to keep in mind that the organization may provide evidence of only selected system components that currently comply with PCI DSS. QSAs may miss the opportunity to uncover compliance deviations and issues if they only rely on screenshots or partial configuration reviews provided at the organization’s discretion.
- QSAs who spend little to no time onsite
- With little time to conduct an onsite review, it is very unlikely that the QSA would conduct a thorough analysis and detect not so evident gaps. News media identified at least one QSA company of performing assessments in a third or quarter of the time compared to other QSA companies (Grundvig, 2013).
- QSAs who don’t take a representative sampling of system components
- QSAs who do not take appropriate sampling sets may fail to identify gaps in the security management processes and patterns that contribute to security operations inconsistency.
- QSAs who are validating positives instead of negatives
- QSAs who validate positives would focus on finding evidence of compliance. QSAs who validate negatives focus on finding evidence of non-compliance. It is very easy to validate positives, as a small sampling would be sufficient to believe that an organization is PCI DSS compliant. On the contrary, validating negatives requires spending more time to ensure no instances of non-compliance exists. This latter approach would obviously take more time and most QSAs do not usually practice it.
3.2.2. QSA individual expertise
The QSA’s level of proficiency may also be a factor which may result in non-compliant organizations passing their assessments, for example:
- QSAs who fail to identify the right compliance scope for an organization
- QSAs may incorrectly advise their clients to leave critical components out of the compliance scope. These components, if compromised, could be used by an attacker to gain access to the cardholder data environment.
- QSAs who are not experts on specific areas or technologies
- QSAs who are not experts on the technologies under review may fail to identify critical vulnerabilities or misconfigurations. An intruder may exploit these vulnerabilities to escalate privileges and gain access to cardholder data.
- QSAs who are not familiar with hacking techniques or attack vectors that hackers use to breach organizations
- A QSA who is not familiar with hacking techniques or attack vectors may fail to identify how the lack of specific security controls could put the cardholder environment at risk. Robert Carr, Heartland’s CEO, blamed his QSA for being unable to identify a common attack vector that criminals used against other companies (Brenner, 2009).
4. Improving PCI DSS Compliance and Security
Given multiple reasons why organizations may be compliant and yet not secure, organizations should strive to improve their compliance with the PCI Data Security Standard by taking holistic, or a tiered approach to improve the organizations’ security posture.
4.1.1. Develop a mature compliance program
Organizations should develop a mature compliance program by conducting the following tasks:
- Designate an individual or group to manage and monitor PCI DSS compliance and empower them to have influence across the organization.
- Conduct a data discovery process regularly to identify and maintain an inventory of data repositories and system components in scope. Define your PCI DSS scope based on this inventory.
- Automate PCI DSS compliance to have a clear visibility of the compliance status of the organization at all times. Organizations can achieve this task by using GRC tools such as IBM OpenPages, RSA Archer or similar tools.
- Provide appropriate security awareness training to ensure all stakeholders understand the need of PCI DSS compliance. This training has to be tailored to the specific needs of each organizational group.
- Follow PCI SSC’s best practices for implementing PCI DSS into business-as-usual processes.
4.1.2. Select the right QSA
Organizations should understand that PCI Compliance is the organization’s responsibility, not the QSA’s responsibility. Though, not having well-qualified QSAs may encumber his or her ability to interpret ‘state of the art’ security and ensure that controls are commensurate with risk.
Price should not be the only factor to take into consideration when selecting a QSA. Consider the QSA methodology, assessment process, and internal training practices as well. Keep in mind that small consulting companies may lack the corporate knowledge of large QSA companies. There is strength in numbers; therefore, large QSA companies may be more profitable based on their global talent pool through various expertise, diversity of opinions, and insight of multiple industries.
Interview your QSA consultant before committing to an assessment. Select your QSA consultants based on their expertise and knowledge of your industry, technologies in use, and information security. Keep in mind that QSA consultants cannot be experts on everything but at least some exposure to the business processes and technologies used by your organization is very important. A QSA consultant with some experience in penetration testing or computer forensics is highly desirable. These individuals would be able to identify vulnerabilities easily based on their insight of past security breaches and hacking techniques, and your organization would obtain the most value out of each assessment cycle.
It is important to rotate QSA consultants at least every couple of years. Your organization may benefit from having different perspectives, expertise, audit skills, and vast approaches to the PCI DSS assessment.
4.1.3. Strengthen your monitoring and investigation capabilities
In the era where Advanced Persistent Threats (APTs) are more prevalent, organizations are realizing the dangers that could lurk around the virtual corner. Cyber hackers may spend as much time as needed to perform reconnaissance, research of the organization and technologies in use, to include obtaining information about the organization’s security controls in place.
Researchers found that the malware used in the Target’s security breach was custom-tailored for the intrusion which was carefully written to avoid detection by standard antivirus software on the market (Krebs, 2014b).
Organizations have to allocate more resources to strengthen their monitoring and investigation capabilities. Organizations should document their assets plus locations, network dataflow diagrams, identify potential threat vectors and the attack surfaces within them. The staff assigned to monitoring activities should support the cyber security initiatives through both predictive and reactive analysis, articulating emerging trends, perform network traffic analysis utilizing raw packet data, net flow, IDS, and custom sensor output as it pertains to the cyber security of communications networks.
Organizations with limited resources should at least adopt risk-based monitoring process. For example, system components could be classified according to criticality:
- Group 1: All system components that store cardholder data
- Group 2: All system components that process and transmit cardholder data but which do not store it even temporarily.
- Group 3: All system components that provide security and authentication services
- Group 4: All system components that provide access to the cardholder data environment
- Group 5: All system components that are facing external networks such as the Internet, partners’ networks, or wireless networks.
- Group 6: Any other components in scope not included in previous groups.
Ideally, organizations should monitor and investigate all the security events and alerts; however, assuming that resources are limited, organizations could use the following strategy to monitor and investigate activities:
- 50% of monitoring time assigned to group 1 and 2. The organization should investigate all the security events and alerts in this group.
- 35% of monitoring time assigned to groups 3, 4 and 5. The organization should investigate all the critical events in this group and remaining events only if there is time left.
- 15% of monitoring time assigned to group 6. The organization should sample security events and alerts in this group for additional research and investigation, and pick different types of events each day.
Organizations should learn from their own and other organizations’ mistakes. Special attention should be paid to attack vectors successfully used during previous penetration tests and for the techniques and attack vectors used by criminals to breach other organizations.
There are multiple links between PCI DSS compliance and an organization’s ability to defend itself against potential cyber breaches; however, still many organizations are failing to maintain compliance. Although it is great see PCI compliance increasing over the years, nevertheless the fact remains that organizations whether large or small are still not meeting PCI DSS standards. These PCI program issues maybe attributable to the organizations failing to comply with PCI Data Security Standard (DSS) or Payment Card Industry Qualified Security Assessor (QSA) companies failing to identity security issues during the initial assessment. These are serious concerns, because cyber criminals are staying ahead of the curve, and with increasing connectivity through technology, attacks may originate from anywhere in the world. We face a perilous cyber world that threatens organization’s ability to safeguard both data in transit and at rest therefore maintaining PCI compliance should be employed as the defense against manner of nefarious cyber activities. Organizations must continue to focus on the goal of safeguarding customer data, not just pass the PCI DSS assessment. Consumers are counting on organizations to secure data in transit while providing appropriate level of vulnerability management and overall risk management.