informa
/
Risk
Commentary

PCI DSS Is A Process, Not A Checklist

Data breaches happen. We all know this simple fact. It's plastered on the news and the Internet. We hear about the big ones from co-workers, friends, and family. The recent Heartland Payment Systems breach, reported here on Dark Reading, is a testament.
Data breaches happen. We all know this simple fact. It's plastered on the news and the Internet. We hear about the big ones from co-workers, friends, and family. The recent Heartland Payment Systems breach, reported here on Dark Reading, is a testament.I've written about the inevitability of security program failures in the past. No matter how secure you think you are, a breach will occur. It could be small or big, but it will happen -- and probably in the least likely manner than what you would have suspected.

What's that? You say you're PCI DSS compliant? That's excellent. Congratulations on jumping through the hoops to get your gold star. Want to know something scary? Heartland was given the PCI compliance seal of approval back in 2008 from Trustwave. You can see that here on VISA's "List of PCI DSS Compliant Service Providers" (PDF); meantime, according to some reports, its breach may have occurred as far back as May 2008.

"Security Warrior" blogger Anton Chuvakin posed the question you're probably wondering yourself: How can a company "that was audited by a QSA and deemed 'PCI DSS compliant' at some point be breached and have all their credit card information stolen at some later point?" I know I was asking the same question when I saw the VISA compliance list. Anton poses some scenarios as to how, but I think the real reason is that companies don't realize the PCI DSS is truly a process and not a checklist.

PCI DSS does not mean you are completely safe from being a data-breach statistic. It means you've complied with the requirements, subsequent scans confirm that, and some trustworthy and diligent QSA has filled out the checklist saying you've done so. Being secure does not end there. The elements that go into complying with PCI DSS need to be followed day in and day out -- not just every quarter when your scan is scheduled or your annual pentest comes up.

What it's going to take for companies to realize this? Maybe they (or someone very close to them) will have to experience a breach themselves. What would happen to many of the compliant companies if their scans were run randomly throughout the year instead of a scheduled monthly or quarterly date? Thanks to Heartland, it's obvious 2009 is going to be an interesting year with regard to breaches and PCI DSS.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5