Surviving IT Security’s Dark Ages

Written by Evan Schuman
December 10th, 2008

GuestView Columnist David Taylor is the Founder of the PCI Knowledge Base, Research Director of the PCI Alliance and a former E-Commerce and Security analyst with Gartner.

The economy sucks. So now is a great time to shift budget away from regulatory compliance and spend it on something that will actually make money for your company, like direct mail advertising.

No, I don’t actually believe that, but as we talk to retailers about security and compliance, I definitely get the feeling some executives are on the defensive when it comes to maintaining a focus on their areas during these "dark times."

To help them muddle through, here are a few suggestions that should tide folks over until the next "security renaissance," if you will.

  • Focus on automating manual security processes
    The problem with compliance-driven security is that upper management tends to relax once compliance is achieved, until the rampup to the compliance due date the following year, when compliance must be proven again.

    It’s a vicious cycle and one of its by-products is a heavy reliance on manual procedures. These are seen as time-killers and often viewed as demeaning by security managers. To change the annual compliance game and reduce the rush to get proper paperwork in place, we recommend choosing three to five specific controls where the manual workload is overwhelming and develop an ROI based analysis to justify the acquisition of automated tools.

    This is not a time to try to sell an overall compliance management strategy, IMHO. It is a time for a very focused, quantified justification aimed at such poorly implemented controls as security log management, application code review, data access authorization, change management and, of course, key management.

    For many organizations, these are some of the weakest controls and require extensive attention and manual oversight by security managers. The ROI analysis that’s required is a matter of the greater accuracy of automated tools as well as the labor cost savings. Every IT manager reading this should be able to identify several specific areas where additional security effectiveness could be achieved through automation, while saving thousands of dollars in labor costs to pay security professionals to perform tasks, which they pretty much hate.

  • Focus on risk reduction, not fine avoidance
    Many organizations set their budgets for PCI compliance based on the avoidance of fines. Thousands of CFOs and other financial executives received letters from their acquiring banks in the last three years threatening monthly fines of $25,000 to $50,000 for non-compliance with the PCI standards. These letters drove much of the spending on PCI in 2006, 2007 and 2008.

    These fines, however, did not drive "strategy." They did the opposite. They did not drive risk-based controls. They drove checklist controls. Now that more organizations have achieved basic checklist compliance, through compensating controls or whatever means necessary, it’s time for security professionals to focus on documenting and measuring residual risk, which remains after checklist compliance has been achieved.

    We recommend reviewing your ROC or SAQ and identifying 5-10 areas where you know that ongoing risk is high and there is general "fear of the unknown" on the part of management. Wireless is a great example and so is application security. Then quantify the risks, in terms of potential loss, using security breach examples and some quotes from the PCI Knowledge Base or the press.

    The goal is to get upper management to appreciate the delta between compliance and security, without making PCI compliance appear to be a waste of money. Quantification of risk is the key to making your case.

  • Focus on improving self-assessment accuracy
    The advantage of doing 100 percent anonymous interviews is that some turn into confessionals. We have learned, for example, most of the PCI self-assessments that retailers do are pretty liberal in their interpretation of certain PCI requirements. This is not to say that companies are deliberately filing false reports.

    But it is certainly fair to say that when there is a decision to make about how to interpret a specific requirement, that most executives are opting for the interpretation that will get their box checked the quickest, rather than doing the best to protect the data.

    Given this situation, we recommend that security professionals can use the documented self-assessment as a tool to argue for specific controls, procedures or documentation that would be necessary to "prove" that the company really does what the self-assessment claims that the company does. In short, threat the self-assessment as a "promise" and tell upper management that you want to help make sure the company delivers on that promise.

  • The Bottom Line
    We are currently working on two different reports based on our research and we’d like your help. For the National Retail Federation’s Big Show in January, we’re working on a "Cost-Effective Compliance" project that will feature many of retailing’s Best Practices in PCI. The other effort of the
    PCI Knowledge Base is an analysis of the impact of PA DSS (Payment Applications Data Security Standard). If you are involved in either of these areas, or otherwise want to ask questions or discuss PCI, just send us an E-mail at

  • advertisement

    Comments are closed.


    StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

    Most Recent Comments

    Why Did Gonzales Hackers Like European Cards So Much Better?

    I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
    Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
    A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
    The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
    @David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

    Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.