PCI Compliant Companies Don't Suffer Breaches
We've got another one in the news. Heartland Payment Systems recently reported a breach that may have affected up to 100 million cards.
That's a lot.
Heartland joins another elite group of companies that suffered a breach, but was also validated as compliant by a QSA. I want to make something very clear in this next paragraph, but before I do, none of the comments here should be tied directly to any incident that has been in the news. We keep our customer lists private unless we get permission to use one as a reference.
There is a big misnomer out there that needs to be cleared up. I've even written about it before in this blog. In our investigations of PCI related breaches, we have NEVER concluded that an affected company was compliant at the time of a breach. PCI Assessments are point-in-time and many companies struggle with keeping it going every day.
Is there a problem with PCI? If there is one, the problem lies in the QSA community (or internal auditors that have not been through something like the CPISA training), not the standard itself. The new QA program aims to fix this, and time will tell if it hits the mark. The only snag I can see there is that virtually every question that is posed to the Council nowadays comes back with a standard answer that looks something like this:
The PCI Council empowers QSAs to make a determination if the stated controls meet the intent of the requirement. It's up to the QSA.
In some cases, this answer is warranted. I've heard of some of the questions they get. Things from "Does X technology meet Requirement 5 (usually from that technology vendor)" to questions that arguably look like free consulting. I do believe the Council has taken such a strong stance against making specific interpretation rulings that there will be room for a QSA to wiggle out of potential liability if they are remarkably good at paperwork.
So, to recap, our experience shows companies that suffer a breach are not compliant with the entire standard at the time of the breach. We should refrain from saying that another PCI Compliant company was breached because the facts show that it just is not true.
Comments
So if PCI-DSS demands an organization be certified compliant once every X months, can we then only be 'sure' they are PCI-DSS compliant that day, and may not be every other day? That is what it seems like you are saying, and that begs the question of the value of PCI-DSS compliance.
Further, if companies can 'self certify' now, and PCI-DSS certification has a
Posted by: security curmudgeon | January 24, 2009 2:43 AM
Excellent point Mr. Curmudgeon. I would argue that some companies are not even compliant on the date of the ROC because assessments are not done in an instant. They typically take several weeks to do, and controls could easily be undone in that timeframe.
Level 1 Merchants have ALWAYS been able to self certify. It is up to the merchant to MAINTAIN that certification every day. Using a QSA is not a liability transfer exercise, which several companies are about to find out.
Posted by: Branden Williams | January 24, 2009 8:57 AM