I was pondering on whether or not to go to the PCI DSS conference. I’ve decided not to go because, frankly, I think the whole thing is now becoming a big waste of air. So many people are now making cash out of this: consultants consulting on how to achieve compliance, the banks raking in the fines for non-compliance, the vendors selling their technical compliance solutions and now SC magazine with their “book before 4 October and save £100” conference on the subject. In the meantime becoming compliant doesn’t actually mean a thing. I know this because I’ve drilled big holes through the security of so-called compliant companies who are still able to tick every box on the PCI SAQ questionnaire and pass a network scan.
I’m also bored with people who tell me that PCI compliance has to be our top priority. This is simply not true. Securing data properly and protecting our company assets is the priority – if we do that right then we’re PCI compliant by default. The same point is made on the PCI Answers blog: PCI isn’t an automatic validation of an organization’s security posture. In-fact, ignoring the intention behind PCI can turn it into a detriment. Compliance is not security.
I well understand that if I can go to my management and show them the quick wins I’ve achieved against the PCI DSS that it makes me look good. Oh look sir, this month we had our fax machines secured and so can tick all the boxes on the PCI assessment. Have we reduced risk to the business? Not a jot. Your PCI network scan came up clean. Are you safe? Sure, in the same way as having paper walls soaked in petrol can be certified as not being on fire.
If PCI Compliance were a ready meal, it would be a very bland one. The point I’m making is that it’s nothing to get excited about. The best example I can point to is the recent TJX case. According to an article published a couple of days ago, the attack took advantage of poorly implemented wireless encryption.
The wireless LANs were secured only by Wired Equivalent Privacy (WEP), a technology that has been known to be vulnerable for more than a year…the report concludes that TJX did not take sufficient steps to secure or dispose of the sensitive data. The company’s upgrade from WEP to WPA took too long, and sufficient encryption was not put in place, it says.
So were TJX certified as being PCI Compliant? I’ve not been able to find the answer to that question but it’s a moot point because as I’ve been saying the thought process behind PCI is flawed when compliance can be achieved for $150 as advertised here: https://www.scanalert.com/SignUp.sa?oc=2460. Clearly, if TJX weren’t taking appropriate steps to protect data then they weren’t compliant but would the auditors have spotted or known where to have looked to have found that the access points were only WEP encrypted? Yes they would, but it’s not actually contrary to the standard. The PCI audit guide only states
2.1.1 Verify the following regarding vendor default setting for wireless environments:
• WEP keys were changed from default at installation, and are changed anytime anyone with knowledge of the keys leaves the company or changes positions
In other words, to be compliant with the standard you can use WEP so long as you changed the default key. In todays world that’s like protecting your wallet by dangling it on a piece of string hanging from your back pocket. So, I come back to the point I made earlier. You can check the box against Wireless Encryption on the PCI self assessment if you have WEP switched on and tell your management that you are compliant. What you have not done is adequately reduced risk.