Shortcomings with the PCI specification
I am frustrated with the Payment Card Industry Specification. Perhaps it’s 9 straight days of rain that has me crabby, but as I was referencing the PCI specification v1.1 today, I found myself annoyed enough with a few things to Blog about it.
Metrics: PCI metrics? Where do they talk about measurement of compliance? How do you judge? Is it a secret? For
Sarbanes-Oxley you have to list the controls you have, demonstrate that
they are operational, and periodically show that they are appropriate. I see no mention of controls, and no corresponding measurements in the PCI specification. Security
is not a black and white issue, and there should be metrics in place to
help get a handle on how you stack up, and see if you are making
improvements. Security is not a destination ...
What data to keep? There is a list of Credit Card related items that you can store, and what you may not keep. There is no explanation of what is optional to keep, how long the information can be kept, or should be kept for that matter. To me, the best way to reduce the possibility of data theft is don’t keep it around. Why is this not discussed? Why is does the PCI standards board not place an addendum in the specification on way to reduce CC data?
Network focused! Is it just me or is this document written by a group of security experts from the network realm? Perhaps
I am being overly sensitive, or perhaps because the word ‘network’
comes up 58 times, and the word ‘application’ 27, but the entire PCI
specification seems to be looking at the problem of credit card
security from the transport layer up. If I am
worried about the privacy and security of Credit Card numbers and
related information, I am most worried about where the data is stored,
and second where CC# is used. I am far less about how they are moved. Why? Because
network encryption available, it’s very effective, and is far easier to
implement (and implement well) that other types of encryption. It
can be retrofitted into the unsecured environment without affecting
business operations, and does not require the inspection of the data
that is being transported. Applications, both
those that use the information and store the information, are at a
distinct disadvantage in terms of complexity and threats. The focus of the standard seems backwards to me.
Security 101. There is nothing extraordinary about PCI. There is nothing in here that is novel or cutting edge about the recommendations. It’s good basic security. Organizations should be doing this … already. PCI is a minimum set of best practices in my opinion, and it still falls short. And we have companies with data breaches trying to hide behind a PCI compliant moniker? Grrrr!
Data Encryption and Compensating controls. My beliefs in this area are not widely shared. Encrypt all your backups! It’s no longer an optional practice! Encrypt Credit Card information in the database if you can, but as it may not be possible without a serious issue, compensating controls can be equally effective.
At various ISSA and ISACA meetings I have
attended, I am always shocked that a majority of IT administrators do
not want to implement encryption on backup tapes. At one meeting in
the crowd was unanimously against (well, except for me) it! The fear they voiced was not being able to locate the key and algorithm and decrypt at a future date, and not being able to recover. Yep, key management is tough, but it is part of the process. So I am not surprised this is not happening because the people responsible for it are fearful for their jobs, but this needs to happen.
The last time I implemented a credit card payment application, I did not encrypt the credit card data I kept in the database. I chose to use a separate database, with separate user account, with processing constrained to a small set of stored procedures, surrounded by a small set of checks and triggers to verify security and thus allowing no person to see or use the data. In a company full of cryptographers, long before their was a PCI standard, I made that conscious choice because I could show equal security and two orders of magnitude faster processing. As far as compensating controls, if they are intelligently designed, they can be a very effective alternative to encryption.
I would like to see PCI offer examples and
scenarios about the proper uses of encryption, key management best
practices and compensating controls. If you provide guidance, some of the mystery goes away, and adoption rates climb.
Enough ranting. I think there is sunshine outside. Time to get some fresh air.