Q&A: PCI compliance

Jim Bibles is a Product Manager at Qualys currently directing the development and enhancement of the company’s QualysGuard PCI solution. His security background ranges from development and implementation of both internal and external information security compliance programs for Fortune 100 companies. In this interview, he discusses PCI compliance.

What are the most significant PCI DSS challenges?
There are two big challenges: merchant education and IT budget constraints.

Many smaller merchants are still trying to figure out their own processing environment and are overly reliant on service providers to manage the environment for them. To address this, the industry must do a better job at educating merchants that they are ultimately responsible for the information they gather from their customers – even if they outsource this function – and then assist them by developing a certification program for these service providers. That way, the merchants have the tools to make an informed decision when it comes to selecting a provider.

Budget impacts both large and small merchants. For larger merchants, investment in security tends to lag behind investment in processing technology. To compound the issue, the new processing technology that is implemented can often make the network even more vulnerable if not done properly. But, because processing technology is often viewed as a revenue generator it is approved much quicker than security-related investments which are perceived as operational costs. In reality, the security investments preserve revenue and facilitate growth.

How does PCI DSS differ from other regulatory schemes?
I do not think that the challenges we face with PCI DSS are that different from other regulatory schemes. Where I think the difference comes in is in the risk associated with non-compliance and the method of enforcement of PCI DSS. I do not know of any other standard that has such a high penalty for non-compliance and is enforced on merchants by both the government (through codification of the standard) and their financial institution.

What are some of the most common misconceptions when it comes to PCI compliance?
The biggest misconception is that the compliance process ends with validation. I have seen this time after time, merchants work fervently to achieve compliance, turn in their compliance validation documentation, and then refocus on other activities until it is time to revalidate. The problem with this scenario is that they are only secure for that specific “point-in-time” and then neglect security until the next certification. This leaves the merchant exposed and, in several cases, has led to some very significant security incidents.

Conversely, I know of merchants that have complex networks and have been “working on their compliance” for a long period of time. Their work has been on-going and they’re very diligent about their program. As a result, they have truly made their network secure. So in effect PCI DSS validation itself is not what makes a merchant more secure, it is how they incorporate the PCI DSS principles into their every day processes that provides ultimately protect them.

Based on your experience, would you say that the PCI DSS is succeeding?
Yes, while we continue to see breaches, they are less frequent and more sophisticated. From this perspective, we are making the competent hackers work much harder for their “money” and freezing out the less competent hackers. With the PCI requirement it seems that some merchants only seek compliance and ignore other security measures. Thus, they are essentially insecure while being compliant. What advice would you give to organizations that are thinking about compliance this way?

Merchants should not build a program specifically for PCI DSS. Rather, they should have an information security program that is robust enough to meet the PCI DSS standards. If they do this, and make security an on-going priority, than they will be more secure and comply with whichever standard is relevant to their particular industry. Security needs to be an operational mandate.

What’s your take on the high profile security breaches where the affected party was PCI compliant?
According to the PCI Council, no merchant was deemed to be PCI DSS compliant at the time that they were breached. But even with that said, no security program is going to be 100% foolproof. Breaches are going to happen, period, end of story. However, by implementing the PCI DSS standard, the risk is substantially reduced and damage can be minimized. I’ve seen first-hand the positive impact layered security (the PCI DSS approach) can have during a breach, including:

1. It reduces the type and amount of data that can taken at once through:

• Non-storage of track data
• Removal of unnecessary cardholder data from the network
• Encryption of business data.

2. It detects the attack in a timely manner thus limiting the amount of data than can be gathered by a sniffer.
3. It prevents the data from being able to be removed from the environment.

So again, while breaches can still happen, adherence to the PCI DSS principles will make them less costly. Please note that I said adherence to the principles not validation of compliance – there is a big difference.

How does Qualys approach PCI compliance and what do you see as your strengths in the market?
Qualys believes that true PCI DSS compliance as an ongoing process, not something you achieve at a point and time.
Our strength lies in the fact that our solution enables entities to do real-time mentoring and enforcement of their security policy in a flexible and cost effective manner. Key features include:

1. Unlimited vulnerability scanning and the inclusion of an automated workflow for false positives.
2. Enhanced SAQ portal that enables merchants to:

• Complete multiple questionnaires per company
• Load audit evidence into the questionnaire
• Identify relevant compliance solutions while completing the SAQ
• Submit SAQ to their Acquiring Bank online.

3. Assists with PCI DSS req 6.6 by allowing merchants to launch an automated Web Application Scan directly from the Qualys PCI portal.
4. Workflow for expert review.