PCI DSS is a Game of Catch Up
Brian Tokuyoshi - Product Marketing Manager
One of the problems of the Payment Card Industry Data Security Standard is that it will never reach a state of completion. That’s because PCI DSS it defines protections against known security risks, and then maps out a list of things that it must do to meet the minimum requirement for an acceptable level of security.
The goals of PCI DSS are noble, for it establishes practices for handling of sensitive data, and thus ensures security experts address the issues that can’t be taken for granted anymore.
The problem, though, is that PCI DSS sets up the requirements in a way that creates checklists of technology to deploy, which prescribes protection against the known threats. You can’t prescribe a solution to a problem you don’t know about and thus PCI DSS will always lag behind new, emerging threats. The danger is that companies who have achieved compliance to a current flavor of the standard might rest on their laurels and not proactively do something about the new threads.
For example, what would have happened if the first PCI DSS spec came out 10 years ago? It might talk about the requirements for firewalls, because perimeter security was the primary defense against the bad guys at that time Meanwhile, new inside threats such as malware, wireless access points, and sniffer bots still would be able to operate freely while the organization remains confident they were secure due to meeting the state of the specification at that time.
Based on a new article from Wired Magazine, there is a new attack that goes straight after information that was supposed to be guarded by the PCI DSS specification. The PIN associated with an ATM card must be encrypted, as specified by the PCI DSS specification. The problem, however, stems from the fact that the PIN is decrypted and re-encrypted by various systems. Meanwhile, hackers discovered a way to take the PIN number, using techniques such as tricking the Hardened Security Module (HSM) into revealing the encryption key used to protect the PIN.
The article cites the manufacturer and states that the issue is largely the result of misconfigured HSMs, and states that “lazy administrators” are to blame. The PCI Security Standards Council is currently working on recommendations for HSMs, but clearly there is a window open for criminals right now while attacks are underway.
Compliance isn’t an end game scenario and completing a PCI audit isn’t a guarantee of safety against the bad guys. Compliance is also not safe harbor against data breaches notification obligations. What’s important is to stay ahead of the game and be proactive about emerging threats, and recognize the limitations of what compliance affords you. PCI compliance is a good place to start your security policy, but keep in mind that true security requires a higher standard of vigilance and data protection.