A new study was released by Branden Williams and the Merchants Acquirer Committee (MAC), and it is worth a read. One aspect that jumped to me is the percentage of compliance vs compliant rates shared in the study. The difference here is those who have represented being PCI Compliant through Attestations of Compliance (AOC) vs. those who have had their programs pressure tested by the criminals of the world, and been found wanting.
Here is the snippet from PCI GURU that highlights this state of discrepancy:
The biggest finding of the study and what most people are pointing to is the low compliance percentages across the MAC members’ merchants. Level 1, 2 and 3 merchants are only compliant around 67% to 69% of the time during their assessments. However, most troubling is that Level 4 merchants are only 39% compliant.
Depending on the merchant level, these figures are not even close to what Visa last reported back in 2011. Back then, Visa was stating that 98% of Level 1 merchants were reported as compliant. Level 2 merchants were reported to be at 91% compliance. Level 3 merchants were reported at 57% compliance. As is Visa’s practice, it only reported that Level 4 merchants were at a “moderate” level of compliance.
via New PCI Compliance Study | PCI Guru.
Here is the link to the report from Branden & MAC
Board of Directors, CISO, and legal should all care deeply that PCI (and of course and certainly other contractual agreements) security is achieved honestly. To often organizations view this like registering a car with the government. This is far to complex and impactful to people within and outside a given business. The cyber economic connections between proper, efficient, and effective security all lend to better products in the market and more focus on what the business is driving towards.
Is your program honestly secure and fully addressing these least practice principles?
Posted in audit, information security, Payment Card Industry Data Security Standard, PCI DSS
Tagged 2015, branden williams, Compliance, cyber, data breach, deluccia, expert, mac, pci guru, report, study, survey
Despite a slew of data privacy breaches that I have spoken about here, the EU and UK in general have a longer horizon to hit critical mass with secure and compliant payment card environments. This is generally surprising given the seriousness and depth of the body of law within these regions around data protection and security. This is being more seriously addressed by the PCI SSC with the appointment of Jeremy King as the Director for the EU.
A nice article is available by TechTarget available here. The challenge of addressing state, EU, and UK mandates is nicely articulated by King in the following excerpt:
He concedes that Europe is more complex because every country has its own rules, regulations and requirements. “This creates challenges that are different in each country. I’ll be going round the different banking associations and acquirers so we can tackle some of the issues and resolve some of the problems that are preventing people from achieving PCI compliance,” King said.
Though the value of the PCI DSS structure is that it is consistent across all borders and is therefore functionally applicable only to payment card environments (globally?). This should provide greater adoption and not less, unless there are state laws that conflict with the adoption of industry best practices.
An interesting discussion and a welcome progressive step to see stronger focus on providing resources, support, and time.
A great Security B-Sides presentation entitled “How really to prepare for a credit card compromise (PCI) forensics investigation: An ex-QIRA speaks out – David Barnett” was posted on slideshare.net and is a great primer for “what happens now” situation when an event (may) have occurred. Since it has been posted I have referred many readers to the slides, and each returned with positive comments but asked what jumped out to me (it is 57 slides after all). Two thumbs up to David Barnett for the presentation.
While I still believe readers should go through the entire presentation (and the other published materials by VISA, MasterCard, and your acquiring bank), here are my favorite slides: (Slide numbers first; what jumped out at me)
- 10, Implicitly this slide screams – know all the parties that are participants and who must be seriously involved (preparation and planning in addition to an assessment of parties is key here)
- 13, A great simple slide showing how far we have come over the past few years (yes… the PCI STANDARD has evolved, but the global regulatory, legal, and consumer landscape is vastly different)
- 24, A beautiful timeline showing the flow of breaches; compliance; fraud; and discovery
- 35, The final quote speaks volumes – careful that teams are not evaluating their own work (in the audit world this is an extreme requirement and for good reason..one that we in security should have a stronger validation structure)
- 37, Key focus here – PCI is about reducing card fraud, and the forensic response by the Card Brands is focused on mitigating further damages. For every organization additional forensic efforts must be undertaken to protect the business’ IP and other sensitive data that may have also been exposed)
- 40, Everyone loves numbers… here are some articulated fines
- 47, The transaction world is a partnership between all the participants, and as such in any deep relationship organizations should establish a great dialogue and a strong working partnership with all parties handling their customer’s sensitive data
While this presentation takes the position post breach, I would challenge the readers to embrace a principal strongly supported by accounting controls and global industry best practices – that is of monitoring. Focusing on clean-up requires leadership within an organization and team members to fully understand their business. In fact, I have seen many organizations mature rapidly into responsive and able to handle fluid business shifts as a result of having these mature detection; responding; and monitoring controls in place.
On a side note, the presentation does have a dedication slide to David Taylor and everyone who met him knows his passion was for bettering the world, and hopefully we all can continue his mission.
KPMG put out a 10 to-do items for Audit Committees that defines excellent areas that should receive attention given the economic and competitive environments. You can find the press release here. Upon reading it I was struck by possible Information Technology business to-do items related to security and risk management, and wanted to share those that struck me.
- IT Strategy should be reset – Nearly all budgets were changed in 2008/9 and required massive shifts from the original 1/2/5 year plans. This shift to the immediate short term to avoid becoming terminal has passed enough to pick our heads up and assess the landscape. Goals should be reviewed; priorities re-evaluated, and teams adjusted to fit the new operating norms. This is not an endorsement to double budgets or blindly return to old plans, but instead a call to refocus and consider the business and operating realities BEFORE moving into new initiatives.
- What was lost during the cutting? – As organizations went through mergers and shrunk budgets certain information safeguards were impacted. They may have been impacted by staff reductions or lapses in maintenance of systems. An inventory of the technology and process canvas is necessary to see what assets exist within the organization. Assets does not only mean hardware, but software, process, and the people that form the glue!
- Consider the Risk Landscape – As the business evolved and adjusted to the challenges of the past 2 years, many changes occurred to the operations and the structure of the business. These may include such things as divestitures; consolidations; new partnerships; outsourcing; cloud computing, and other strategic cost saving strategies. The end result is the creation of new logical relationships and inter-dependencies that require consideration. An enterprise risk analysis can uncover these newly formed risks, and ensure that they are satisfied with the appropriate and necessary safeguards.
- Duck and Cover – An unfortunate consequence of a challenging year (or two) for companies is the natural response for team members to literally put their heads down and avoid making sudden moves that may draw attention. This negatively impacts the business directly – a loss of innovation, good-will, and full engagement of each associate. Leaders can address this by communicating the state of the business and take demonstrable actions that solidify the message.
The most important aspect for IT strategy and business is to re-center, focus on the people, and push/pull/drag the organization to a stronger more secure future.
James DeLuccia IV
Posted in audit, auditing, Business Agility, Compliance, GLBA, Governance, iia, information security, IT Controls, Management, mergers and acquisitions, Payment Card Industry Data Security Standard, PCI DSS, Risk Management, Security
The British government had their Defence Manual of Security (2001) leaked to the internet on October 4, 2009. The press and wikileaks provide a great breakdown of the information within it, and it is fairly accessible to those interested. What strikes me as interesting is not that it is in the public space now, but the concern that some organizations have with exposing their security protocols. The thinking is as follows:
How does this relate to your practices as an organization within information safeguards, PCI DSS, and GRC?
Security requires a good plan and a properly executed set of operations. The reality is security is good because it is good, and not because it is unknown. Meaning that security through obscurity is a flawed practice proven time and again. Think open source and other broken “proprietary / secret” protocols and methodologies. The point is this – good security should sustain the glaring spotlight and highlight the difficulty of breaching such security, and not have weaknesses that are only protected by blind luck.
In short organizations should not be afraid to share their security realities and compliance safeguards with their teams and partners. Obscurity is not the answer, only through prudent review, regular enhancements, and agile response to shifts in business and the risk landscape.
The combination of good self assessments, transparent and open audits with partners and firms providing attestation services, and open dialogue between the business and owners of information assets are key.
The document leaked is 2,389 pages, so you may want to get a venti coffee.
Other thoughts? Any moving forward lessons found in the document?