Can Validating PCI Compliance Increase Your Vulnerability To A Breach?

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

It may sound like heresy coming from a QSA, but I see some merchants over-emphasizing their PCI annual assessment. The main event for them is a clean Report on Compliance (ROC) for Level 1 (and soon Level 2) merchants or a Self-Assessment Questionnaire (SAQ) for everybody else. They believe that once the ROC is signed, they can relax until the next year.

But PCI is not like that. PCI has requirements that demand regular attention if merchants are to remain compliant the other 364 days in a year. CIOs and merchants who focus only on their annual PCI validation may actually find that they unintentionally make themselves more vulnerable to a costly data breach. They also make their PCI revalidation the following year more difficult, and possibly more expensive, than it has to be.

Let’s get one thing out of the way: PCI validation is not the same as PCI compliance. Validation is an assessment or judgment based on evidence. It is something you do once a year. Compliance is different. It is a state where you, the merchant, actually meet all the rules and procedures every day.

Let me give two examples of the difference between validation and compliance. You can validate without being PCI compliant. Simply lie to your QSA or on your SAQ. Alternatively, you can validate conscientiously. But after someone changes a firewall rule or adds a wireless network or fails to check a system log, you are out of compliance in a matter of days or even hours.

Validation is important. I personally believe merchants should celebrate their completed ROC or SAQ. I tell clients they should send out for pizza and distribute some gift cards to everybody who worked so hard. As you clean up those empty pizza boxes after lunch, though, I want to ask yourself one question: It has been at least an hour; what in the world makes me think I’m still compliant?

I have never liked the card brands’ statement (echoed by the PCI Council) that no PCI-compliant organization has ever suffered a data breach. This statement highlights the distinction between validation and compliance. That you validated your PCI compliance a few weeks or months ago says very little about your present state of compliance. I personally wish everyone would stop repeating this mantra--I hate to taunt the bad guys, who have enough economic motivation already--but the brands and the PCI Council are justified.

Compliance is a 365-day-a-year job. It is true that many assessors and even the PCI Council refer to validation as being backward looking. What they mean is that your ROC or SAQ indicates you were PCI compliant at a certain date. But your ROC or SAQ says nothing about your compliance going forward. I want to propose a different description of PCI compliance, one that emphasizes the merchant’s ongoing responsibility. After all, the DSS contains a number of specific actions that you need to perform on a regular basis to remain compliant. Let me offer a few examples. PCI Requirement 1.1.6 says you need to review your firewall and router rule sets at least every six months. Requirement 11.2 says you need internal and external vulnerability scans quarterly. Requirement 11.5 tells you to run integrity checking on critical data files weekly. And Requirement 10.6 says you need to review system component logs daily. If you focus only on your annual assessment (i.e., validation), you will not stay compliant for long in the face of these semi-annual, quarterly, monthly and even daily requirements.

Failing to maintain your compliance increases the risk that you will be breached. The PCI Council found that 95 percent of breached merchants were not compliant with Requirement 10 (logging), 86 percent were not compliant with Requirement 11 (vulnerability scanning) and 70 percent were not compliant with Requirement 1 (firewalls). Combined with the opportunistic and relatively unsophisticated nature of most attacks, the clear message is that failing to maintain PCI compliance continuously places you and your company at increased risk.

There is another problem with obsessing over your annual assessment: It may make the next year’s assessment harder rather than easier. Merchants expect that once they have completed a ROC the first time, it will be easier the following year. When the same staff members are assigned, documentation is maintained and there are no major system or network changes, that may be the case. But it will not be the case if merchants focus too much on their ROCs and fail during the course of the intervening year to run their quarterly vulnerability scans, review firewall configurations or check their logs. It may be pretty difficult going back and filling in those gaps. As a result, merchants can fail their subsequent annual assessments, which is painful. When processors make the mistake, they risk falling off the list of approved service providers--a virtual death sentence.

I recommend appointing a PCI owner. It may not be a full-time job, but that person’s role is to make sure your company stays compliant all the time--not just one day a year. The PCI owner schedules all your scans at the start of the year and then monitors the results. That person doesn’t have to check the firewall rules or the logs personally, but he makes sure someone does and records the results. The PCI owner goes to PCI training, so he knows what documentation the QSA will expect. In my ideal world, the CIO stops by the PCI owner’s office periodically and asks to see the latest scan results and other compliance documentation. With this approach, the CIO can be confident of being PCI compliant all the time.

I sometimes ask a question at PCI training or a client kickoff meeting: “What is the difference between PCI and true love?” After a moment, I tell attendees, “PCI is forever.” My point is that PCI is not going away and that compliance is a continuous process. You should not ignore compliance for 11 months and then scramble madly to complete your annual validation in time.

Do you have a PCI owner in your organization, and is that approach working? As a CIO, how do you ensure your company stays PCI compliant 24/7? Do you disagree with me that PCI validation does not equal PCI compliance? I’d like to hear your thoughts, whether we agree or disagree. Leave a comment below or E-mail me at [email protected].