Does PCI DSS Equal Security?

Jul 25, 2013

One of the first things you might hear when you start getting involved with PCI DSS is that PCI DSS does not equal security. That is a little strange when you think about it – after all, it is the Data Security Standard. So why do people say that, and is it true?

It might be seen a cynical ploy by some in the PCI industry. If you get compliant, then suffer a breach, you could be told ‘Don’t blame us, we told you that PCI doesn’t mean you are secure’. Curiously, the same people may be quick to remind you that no one who got breached ever turned out to be compliant on investigation.

But you and I are not cynics, so let’s approach this from another angle – how does PCI DSS stack up against the three cornerstones of information security commonly known as Confidentiality, Integrity and Availability?

First, PCI DSS is not concerned at all with Availability. In fact, from a PCI perspective, the less available that the card data is, the better. The nearest that PCI DSS gets to acknowledging Availability is a couple of bullet points in Requirement 12.9.1. Requirement 12.9.1 is all about having an incident response plan. The main focus, reasonably enough, is on incidents that could threaten disclosure of cardholder data but amongst the bullet points are that the incident response plan should include:

• Business recovery and continuity procedures
• Data back-up processes

Given that assessing this fully could be a major review in itself, it’s unlikely that they get much attention in most PCI assessments, so passing PCI isn’t really going to give much assurance about Availability.

What about Integrity?
Again, PCI DSS isn’t really concerned with this. It would prefer that you didn’t store card holder data at all, in which case integrity is irrelevant. If you do store it then it must be encrypted, which should provide some protection and access must be strictly controlled. But PCI DSS isn’t concerned with validating the data at the point of input or checking that it remains valid. Of course, if you try to process payments using invalid card numbers, they will be rejected but it is not a PCI DSS requirement. This isn’t a criticism; it’s just not what the standard is meant to do.

Focusing on Confidentiality
Here, PCI DSS stands up really well. Obviously, it cannot guarantee that cardholder data won’t be improperly disclosed – technical threats are developing all the time and there is a real world limit to how quickly organisations can put counter-measures in place. For example, PCI DSS accepts that there is an inevitable gap between a vulnerability appearing and patches becoming available. Nor can all the policies and awareness training in the world guarantee to stop someone behaving stupidly.

However, when it comes to mandatory PCI DSS requirements,you cannot opt out and ‘accept the risk’ – you must provide a strong defence against all the likely causes of data confidentiality breaches. For example, theyrequire that perimeter defences are in place with properly configured firewalls;that devices are securely configured with no default accounts and passwords left in place; and that anti-virus systems are in place, operating and up to date. Additionally, there must be need-to-know based access control with strong authentication measures, and to ensure that it is all working, there must be monitoring, log review, vulnerability scanning and penetration testing.

So, does achieving PCI DSS compliance mean that your data is secure?
Well, up to a point. If the requirements are met, then there is a significant level of protection even against new emerging advanced and zero day threats. In fact, it prompts the question why you wouldn’t want all your confidential data this secure. Of course, compliance is assessed at a point in time. The level of security is maintained only as long as the level of compliance is maintained and there is an inevitable tendency to let things slide once the assessors have gone. The challenge of maintaining compliance is at least as great as that of achieving it in the first place.

Author: Stephen Hancock – 7Safe PCI DSS Qualified Security Assessor.

To find out more about PCI DSS, or how 7Safe can help you achieve or maintain compliance, please contact us .