A new study was released by Branden Williams and the Merchants Acquirer Committee (MAC), and it is worth a read. One aspect that jumped to me is the percentage of compliance vs compliant rates shared in the study. The difference here is those who have represented being PCI Compliant through Attestations of Compliance (AOC) vs. those who have had their programs pressure tested by the criminals of the world, and been found wanting.
Here is the snippet from PCI GURU that highlights this state of discrepancy:
The biggest finding of the study and what most people are pointing to is the low compliance percentages across the MAC members’ merchants. Level 1, 2 and 3 merchants are only compliant around 67% to 69% of the time during their assessments. However, most troubling is that Level 4 merchants are only 39% compliant.
Depending on the merchant level, these figures are not even close to what Visa last reported back in 2011. Back then, Visa was stating that 98% of Level 1 merchants were reported as compliant. Level 2 merchants were reported to be at 91% compliance. Level 3 merchants were reported at 57% compliance. As is Visa’s practice, it only reported that Level 4 merchants were at a “moderate” level of compliance.
via New PCI Compliance Study | PCI Guru.
Here is the link to the report from Branden & MAC
Board of Directors, CISO, and legal should all care deeply that PCI (and of course and certainly other contractual agreements) security is achieved honestly. To often organizations view this like registering a car with the government. This is far to complex and impactful to people within and outside a given business. The cyber economic connections between proper, efficient, and effective security all lend to better products in the market and more focus on what the business is driving towards.
Is your program honestly secure and fully addressing these least practice principles?
Posted in audit, information security, Payment Card Industry Data Security Standard, PCI DSS
Tagged 2015, branden williams, Compliance, cyber, data breach, deluccia, expert, mac, pci guru, report, study, survey
Despite a slew of data privacy breaches that I have spoken about here, the EU and UK in general have a longer horizon to hit critical mass with secure and compliant payment card environments. This is generally surprising given the seriousness and depth of the body of law within these regions around data protection and security. This is being more seriously addressed by the PCI SSC with the appointment of Jeremy King as the Director for the EU.
A nice article is available by TechTarget available here. The challenge of addressing state, EU, and UK mandates is nicely articulated by King in the following excerpt:
He concedes that Europe is more complex because every country has its own rules, regulations and requirements. “This creates challenges that are different in each country. I’ll be going round the different banking associations and acquirers so we can tackle some of the issues and resolve some of the problems that are preventing people from achieving PCI compliance,” King said.
Though the value of the PCI DSS structure is that it is consistent across all borders and is therefore functionally applicable only to payment card environments (globally?). This should provide greater adoption and not less, unless there are state laws that conflict with the adoption of industry best practices.
An interesting discussion and a welcome progressive step to see stronger focus on providing resources, support, and time.
A great Security B-Sides presentation entitled “How really to prepare for a credit card compromise (PCI) forensics investigation: An ex-QIRA speaks out – David Barnett” was posted on slideshare.net and is a great primer for “what happens now” situation when an event (may) have occurred. Since it has been posted I have referred many readers to the slides, and each returned with positive comments but asked what jumped out to me (it is 57 slides after all). Two thumbs up to David Barnett for the presentation.
While I still believe readers should go through the entire presentation (and the other published materials by VISA, MasterCard, and your acquiring bank), here are my favorite slides: (Slide numbers first; what jumped out at me)
- 10, Implicitly this slide screams – know all the parties that are participants and who must be seriously involved (preparation and planning in addition to an assessment of parties is key here)
- 13, A great simple slide showing how far we have come over the past few years (yes… the PCI STANDARD has evolved, but the global regulatory, legal, and consumer landscape is vastly different)
- 24, A beautiful timeline showing the flow of breaches; compliance; fraud; and discovery
- 35, The final quote speaks volumes – careful that teams are not evaluating their own work (in the audit world this is an extreme requirement and for good reason..one that we in security should have a stronger validation structure)
- 37, Key focus here – PCI is about reducing card fraud, and the forensic response by the Card Brands is focused on mitigating further damages. For every organization additional forensic efforts must be undertaken to protect the business’ IP and other sensitive data that may have also been exposed)
- 40, Everyone loves numbers… here are some articulated fines
- 47, The transaction world is a partnership between all the participants, and as such in any deep relationship organizations should establish a great dialogue and a strong working partnership with all parties handling their customer’s sensitive data
While this presentation takes the position post breach, I would challenge the readers to embrace a principal strongly supported by accounting controls and global industry best practices – that is of monitoring. Focusing on clean-up requires leadership within an organization and team members to fully understand their business. In fact, I have seen many organizations mature rapidly into responsive and able to handle fluid business shifts as a result of having these mature detection; responding; and monitoring controls in place.
On a side note, the presentation does have a dedication slide to David Taylor and everyone who met him knows his passion was for bettering the world, and hopefully we all can continue his mission.
KPMG put out a 10 to-do items for Audit Committees that defines excellent areas that should receive attention given the economic and competitive environments. You can find the press release here. Upon reading it I was struck by possible Information Technology business to-do items related to security and risk management, and wanted to share those that struck me.
- IT Strategy should be reset – Nearly all budgets were changed in 2008/9 and required massive shifts from the original 1/2/5 year plans. This shift to the immediate short term to avoid becoming terminal has passed enough to pick our heads up and assess the landscape. Goals should be reviewed; priorities re-evaluated, and teams adjusted to fit the new operating norms. This is not an endorsement to double budgets or blindly return to old plans, but instead a call to refocus and consider the business and operating realities BEFORE moving into new initiatives.
- What was lost during the cutting? – As organizations went through mergers and shrunk budgets certain information safeguards were impacted. They may have been impacted by staff reductions or lapses in maintenance of systems. An inventory of the technology and process canvas is necessary to see what assets exist within the organization. Assets does not only mean hardware, but software, process, and the people that form the glue!
- Consider the Risk Landscape – As the business evolved and adjusted to the challenges of the past 2 years, many changes occurred to the operations and the structure of the business. These may include such things as divestitures; consolidations; new partnerships; outsourcing; cloud computing, and other strategic cost saving strategies. The end result is the creation of new logical relationships and inter-dependencies that require consideration. An enterprise risk analysis can uncover these newly formed risks, and ensure that they are satisfied with the appropriate and necessary safeguards.
- Duck and Cover – An unfortunate consequence of a challenging year (or two) for companies is the natural response for team members to literally put their heads down and avoid making sudden moves that may draw attention. This negatively impacts the business directly – a loss of innovation, good-will, and full engagement of each associate. Leaders can address this by communicating the state of the business and take demonstrable actions that solidify the message.
The most important aspect for IT strategy and business is to re-center, focus on the people, and push/pull/drag the organization to a stronger more secure future.
James DeLuccia IV
Posted in audit, auditing, Business Agility, Compliance, GLBA, Governance, iia, information security, IT Controls, Management, mergers and acquisitions, Payment Card Industry Data Security Standard, PCI DSS, Risk Management, Security
The British government had their Defence Manual of Security (2001) leaked to the internet on October 4, 2009. The press and wikileaks provide a great breakdown of the information within it, and it is fairly accessible to those interested. What strikes me as interesting is not that it is in the public space now, but the concern that some organizations have with exposing their security protocols. The thinking is as follows:
How does this relate to your practices as an organization within information safeguards, PCI DSS, and GRC?
Security requires a good plan and a properly executed set of operations. The reality is security is good because it is good, and not because it is unknown. Meaning that security through obscurity is a flawed practice proven time and again. Think open source and other broken “proprietary / secret” protocols and methodologies. The point is this – good security should sustain the glaring spotlight and highlight the difficulty of breaching such security, and not have weaknesses that are only protected by blind luck.
In short organizations should not be afraid to share their security realities and compliance safeguards with their teams and partners. Obscurity is not the answer, only through prudent review, regular enhancements, and agile response to shifts in business and the risk landscape.
The combination of good self assessments, transparent and open audits with partners and firms providing attestation services, and open dialogue between the business and owners of information assets are key.
The document leaked is 2,389 pages, so you may want to get a venti coffee.
Other thoughts? Any moving forward lessons found in the document?
So, there are tremendous implications for their business model, but to place the spotlight on one area lets focus on data security and regulations (my favorite). AMEX is one of the organizations that built the PCI DSS, PCI SSC, and all recent publications. The intent of PCI was to have industry forced mandates that protect cardholder data. As private companies, Visa and MasterCard, had a lot of leeway on how they handled operations and were able to contain the management of requirements. Given the IPOs of these two associations, and now AMEX becoming a bank does present a future that is far different then it was 3 months ago and 12 months ago.
Banks are regulated under extensive regulations and there is substantial information surrounding the safeguarding of data through information technology controls. The FFIEC books are world renowned for their coverage in this area. In addition to these known requirements there are additional third party requirements that will be introduced. If anyone has done with a financial institution that is required to abide by GLBA, they know that they too must satisfy the requirements.
My highlighting of GLBA and regulatory leakage (when requirements of one trickle down into other sectors of the economy – SOX anyone) is that while PCI DSS is here to stay, there must be greater forms of validation surround Information Technology and Controls. Those who operate within the payment industry would be strongly advised to continue to practice PCI DSS, but also maintain a more holistic view of contributing and supportive regulation mandates to ensure smooth operations in the near future.
Other thoughts on how AMEX becoming bank will impact business?
James DeLuccia IV
Event Update: BOOK Signing, Free Tastings, and such at Starbucks 1400 Dunwoody Rd, 2-4pm Nov. 23rd. (there will be prizes, so feel free to stop by even for just a moment!)
On September 10th I spoke at the CSO Conference on the PCI DSS with an impressive group of speakers and representatives from across the industry, including Chris Mark and numerous CIOs. The discussions focused on the current state of the union within the Payment Transaction vertical. There was plenty of focus on the usage of ERM, quantification of risk through trending of individual business experience, in addition the transitioning of risk ownership to executives within an organization.
In attendence there was a wide ranging of executives, but the primary population included the financial industry and mainly CIOs. The topics of the conference included “The State of PCI DSS”, Business Process First, Time Inc. ‘Time Goes Global with Compliance”, Best Practices from the PCI Knowledge Base, and of course a panel discussion. Attendees, and friends of CSO Magazine can see the archived presentations (some were VERY rich, more so than is commonly provided) starting today. While it is impossible to breakdown the great sessions and extensive discussions that I experienced, I do want to highlight a few points that stuck with me.
- Future of PCI DSS: PCI DSS is evolving into a risk based approach. It was both predicted by the attending experts that the council will transform to a pure risk based approach to adhere to the global practice.
- RISK Ownership: Success of PCI and compliance engagements partly depends on the ownership and visibility of the benefits of achieving PCI compliance. This was achieved uniquely by several organizations, but the most common was distribution of risk ownership.
- Conflicts of Interest: Separation of Duties – enforcing a mechanism to eliminate the conflicts of interest that exist – the assessment, implementation, and attestation. Specifically companies must put in a frame work (leverage your Internal Audit groups) to restrict individual parties from conducting all three phases.
- Crosswalk / Regulation Alignment / Shared Documentation: It is ideal to leverage the documentation across different compliance efforts – for example BITS. Usage of these must address the amount of overlap that actually exists (i.e., is the overlap sufficient to warrant the work to have a positive return), also is the scope of controls equivalent between the two approaches. Specifically each standard is focused on risks (PCI on Card Holder Data; BITS Financial data), and therefore only addresses those risks. Organizations have numerous risks, and therefore must manage these risks appropriately with each individual set of standards. Organizations should consider bringing together the documentation efforts, and the degree of efficiency that can be achieved through simplifying the controls by limiting the variety of similar control types.
Action: Take a look at how your managing your PCI and other compliance initiatives. Do you have the responsibility? Should you own it, all? Don’t reinvent the wheel – leverage your Risk Management / Internal Audit teams, all the documentation, tools, and charters are there for you to use.
A great seminar where extensive discussions were enabled through the format and quality of the attendees. I paid for this trip to NYC out of my own personal pocket, and found the value to be well worth it.
If readers have specific requests about the presentations (here is the conference agenda), please post them and I will answer them as fully as possible.
James DeLuccia IV