Global Security, Privacy, & Risk Management

“Blaming the Victim and the PCI DSS is…Passe”- PCI DSS; GlobalPayments & Data Theft April 1, 2012

In an effort beat the “PCI Evangelists”; “wagon jumpers”, “naysayers”, and “PCI Haters” to the punch, I am publishing my post on a Sunday evening.  By tomorrow morning the speculation on how the GlobalPayments compromise occurred will be in full swing and no doubt, many will have already condemned the company for “PCI DSS non compliance” or being “sick, lame, or lazy” when it comes to their PCI DSS compliance or information security.  Others will have published articles condemning the PCI DSS as ‘ineffective’, ‘irrelevant’, or simply ‘stupid’.

Before they are condemned I want to go on record and say it NOT a PCI DSS compliance issue that caused the compromise. Like Heartland Payment Systems, Royal Bank of Scotland Worldpay and many more before them, GlobalPayments has been held out as the paragon of PCI DSS compliance for years.  Now that they have been breached they will be expected to wear a scarlet letter for the foreseeable future. I have no doubt that by the end of next week their status as a “Level 1 PCI DSS Compliant Service Provider”  will have either been revoked by the card brands or be under “review”.In the same vein, there will be many who shout from the rooftops that the PCI DSS is “irrelevant”, “outdated” and so on.  Neither of these positions are accurate.

Here it goes…(drum roll please)…

The PCI DSS is a solid set of information security controls and represents minimum necessary controls to minimize the likelihood of data compromise through common, identified vulnerabilities.

Being PCI DSS compliant does NOT mean a company is invulnerable to data compromise.  It was never intended to be the final word in security. (for those debating this point, I was on the team that wrote the original standard in 2001).  Conversely, a company that is compromised should not be immediately branded as ‘non compliant’ or ‘insecure’.  In January 2009 I wrote an article for TransactionWorld titled: “Lessons from the Heartland Breach”  in which I  wrote: “The Heartland breach should not be viewed as an indictment of the organization;s security posture, but as illustrative of how difficult it is to adequately protect sensitive data.”  The fact remains that companies are under assault by groups and individuals focused on stealing their data.  PCI DSS is a set of minimum controls.  Much like a motorcycle helmet or seat belt it is intended to reduce the “RISK” of compromise. Here is another excerpt from the 2009 article:

“Every year motorcycle riders wearing helmets are killed in motorcycle accidents. Studies demonstrated that motorcycle fatalities increased 81% in Florida, 50% in Kentucky and 100% in Louisiana since helmet laws were repealed. It is interesting to note that studies do not suggest that motorcyclists were not killed while wearing helmets, simply that more died after the helmet laws were repealed. Similarly every year drivers wearing seatbelts are killed in automobile accidents.

It would be naive, though, to suggest that seatbelts and motorcycle helmets are ineffective or that the laws mandating their use are ineffective because a percentage of riders and drivers are killed in accidents. In the vast majority of instances motorcycle helmets and seatbelts work as intended to reduce injury and fatalities associated with accidents. Motorcycle accidents, automobile accidents and data compromises consist of complex sequences of actions and variables that are difficult to predict or prevent. It is tempting to view these events and believe that one well-placed control or series of controls can prevent a major event from occurring or mitigate the risk associated with riding motorcycles, driving cars and handling sensitive data. It is clear that there is inherent risk in each of these activities and the only way to remove all risk is to not engage in the activity. Seatbelts, helmets, and firewalls are controls that are only intended to mitigate a particular risk associated with the activities.”

In a recent interview Heartland’s CIO Kris Herrin stated: “We know that the very first breach to our corporate network was December 2007. It was detected at the time, and we believed it was cleaned up, but it wasn’t completely. It turned out to be much more persistent than anyone thought. They spent a lot of time avoiding detection and finding new ways to move around laterally and get into information.”

The point is that like seabelts, and helmets, the PCI DSS and ALL information security controls are designed and intended to reduce the risk of compromise…not prevent all compromises.  While both Global and the PCI DSS will take their lumps over this latest compromise, neither deserves all the blame.

For more information you can see a presentation on the“Failing of PCI DSS as a Security Strategy”