Friday, February 1, 2008

PCI DSS Class Thoughts

On Thursday, January 24, the New Jersey ISACA chapter held a class on the Payment Card Industry Data Security Standard (PCI DSS), which I taught. Thirty five people attended. Most were IT auditors, some were in information security roles, and a few were educators or administrative staff. The goal of the class was to give the attendees a clear understanding of the history of the standard, what it means now, what forces will most likely drive its development, and what it could become in the future.

The standard came about as a result of the efforts of the then-CISO at Visa, who I’ll name if he wishes. In the late 1990s he was concerned that merchants weren’t protecting their customer’s credit and debit card data suffficiently, so he floated the idea that merchants should follow a code of good practice: Use a firewall, use anti-virus software and keep it current, encrypt card data both when it’s stored and when it’s in flight, restrict access to systems that process card data, have a security policy that informs people that they should keep card data safe, and so on.

The idea caught on and in 2000 Visa announced its Cardholder Information Security Program (CISP). Shortly MasterCard, American Express, Discover, and the rest all launched their versions of the standard. At that point merchants became dismayed that they would have to follow a handful of similar standards with annual inspections from each, so the various firms providing payment cards banded together into the Payment Card Industry Security Council, which released its first standard in January 2005.

The threat landscape continues to evolve rapidly. In the 1990s merchants were worried that a hacker might capture a single card in transit. Now the bad guys can hire a botnet to scan millions of firms for vulnerabilities. The Atlanta-based start-up Damballa maintains statistics on botnets, and they are frightening. At present more than 1 in 7 PCs on the Internet is infected with some form of malware. The Storm botnet seems to have over 50 million zombies (Internet-connected PCs that are receiving and responding to commands from its control infrastructure). Estimates vary but there are now about 800 million PCs connected to the Internet, with the total expected to pass 1 billion machines by 2010.

Traditional information security measures are necessary but not sufficient. Someone once said that using basic information security was like putting a locking gas cap on your car. It may slow someone down, but it won’t keep a determined thief from punching a hole in your tank and draining the gas out. While that is true, for a long time we took a modicum of comfort in the thought that a thief in a hurry would see the locking gas cap and move on to the next car. But in this new threat model, the thieves use stealthy automation, have lots of time, and need almost no effort to undetectably siphon off sensitive data from everyone.

Now there is a whole industry around this standard: about 1,400 merchants globally are so large that they must have annual examinations. There are dozens of firms that are certified to perform those exams, and another slew of firms that are certified to perform the quarterly scans the standard requires. The PCI council certifies both examiners and scanning firms. Note that they don’t certify products; they certify a company’s skill and methodology. So if a scanning vendor uses tool A for certification and switches to tool B, they need to be re-certified.

Certification is valid for one year only. But certification doesn’t guarantee that a merchant won’t get ripped off. TJX suffered the largest breach known so far, with 94 million credit and debit cards stolen. During the 17 months that the bad guys were prowling around TJX’s systems, the firm successfully passed two full examinations and five quarterly scans, all performed by large and reputable vendors. The exam is an audit, not a forensic investigation. And the bad guys are more persistent, diligent, and motivated than the examiners. Some firms believe that since they passed an exam, they must be secure. All that passing the test means is that the firm is meeting minimum requirements. Creative, persistent, diligent information security measures, proactively applied by the firm itself, are the only way any firm will have a chance of finding the bad guys and shutting them down.

The class helps firms that handle credit and debit cards understand the obligations under the standard, but more importantly what additional measures they might take to avoid bad things happening. We look at the TJX breach in depth, reconstructing the apparent chain of events to highlight the tenacity and dedication of the bad guys. Remember that information security is entirely about economics: if the value of the information is greater than the cost of getting it, the information is not secure. For more information about the economics of information security, check out the Workshop on Economics and Information Security (WEIS).

If you use a credit card, be aware of small but unexpected charges. The thieves can get a million dollars just as easily by taking one dollar from each of a million users as they can from taking ten thousand dollars from each of one hundred users. The difference is that nobody complains about losing a buck. The thieves are evolving into endemic, chronic, annoying parasites. Being a 21st century cyber-crook may not be glamorous, but it is lucrative, low risk, steady work.

No comments: