This is page 2 of:
Barbie’s New Cry: “PCI Is Tough.” An RSA Defense Plan
Eliminating remote access risks business disruption, and it will at the very least inconvenience a lot of users. I’m just an assessor, but if it were my job on the line, I’d rather face screams from users than see my CEO on the six o’clock news trying to explain a cardholder data breach any day.
Taking a longer perspective, PCI Requirement 12.1.2 says you have an annual risk assessment process. I wonder how many retailers have considered the risk of their security provider itself being compromised (or going out of business or being acquired or changing its product direction)? If you did not include this contingency, now is a particularly good time to add it to your risk assessment.
I have always been of the simple-minded belief that only two types of systems were ever built: those that have been compromised and those that are going to be compromised. If you think about it, that is an underlying principle in a data protection standard like PCI DSS. Nobody ever promised that security providers are uniquely invulnerable, and it is unreasonable to expect them to be. There is no such thing as 100 percent security. Security companies like RSA attract hackers like dogs on the back of a meat truck.
With that in mind, I’d include the impact of a security service provider being compromised in both your risk assessment and your incident response plan. RSA may be this week’s story, but you can rest assured there will be another attack or another previously unsuspected vulnerability next week that will have CIOs reaching for the antacid.
This brings me to the joint security announcement by three leading hotel associations. It appears they have come to the profound conclusion that the bad guys target their member hotels. It seems the combination of storing large amounts of electronic cardholder data from current and past guests and having weak security controls is too good an opportunity for cybertheives to pass up.
The associations jointly recommended three actions: changing default passwords; restricting vendor access to hotel systems; and installing a firewall. To their credit, the associations also think it is a good idea to become PCI compliant, “because the threat is real and because PCI is effective.” Unfortunately, it appears they also consider actual PCI compliance—which addresses each of their issues in Requirements 2.1, 12.3.9 and 1.1, respectively—”very challenging” and, by implication, too hard for some of their members.
I am reminded of the ill-fated Barbie Doll that whined: “Math class is tough.” The maker pulled it from the market after numerous well-justified complaints. Maybe it’s the old mathematics teacher in me, but I am wondering if we need a new Barbie that says, “PCI is tough!”
Yes, PCI is challenging. And it is particularly challenging to remain compliant every day. But PCI is also detailed and thorough, and that is why it works. From RSA we learned that even the security companies retailers depend on are vulnerable to attacks and possible compromises. That doesn’t mean we give up or say PCI is too hard. It means we learn from each experience, maintain a strong security posture, conduct a thorough risk assessment and keep it current, implement comprehensive incident response plans, and understand the real data retention requirements to minimize the amount of stored cardholder data that attracts the bad guys in the first place.
What do you think? I’d like to hear your thoughts. Either leave a comment or E-mail me at wconway@403labs.com.
-Marc
March 28th, 2011 at 3:38 pm
As head of one of the hotel associations behind this message, I can’t let this go unchallenged.
This was hardly a profound conclusion by the hotel companies. Most major hotel companies have spent tens or even hundreds of millions of dollars on PCI, starting in the days when it was still called Visa-CISP. Most larger hotels are now fully compliant (or at least as compliant as anyone can reasonably be).
Major CIOs in the hotel industry reached the conclusion a year ago that we needed to take every possible effort to harden the entire industry from credit card thieves; that they were all vulnerable no matter what they did in their individual companies, if the rest of the industry was viewed as a soft target (which clearly it was). The associations rose to the task of helping address this, in support of the extensive efforts over the past decade at major hotel companies.
What you seem to be missing is that the hotel industry isn’t a bunch of big corporations, but rather a fragmented franchise industry. There are over 50,000 hotels in the US alone, and most of them are small independent businesses (many in the $500K – $2M/year revenue range) with little or no onsite IT expertise and only a vague awareness of PCI – but, as you point out, lots of credit card data.
About 30 of US hotels operate independently of any brand, meaning they don’t even have a corporate IT group to provide guidance. And while the remainder are affiliated with brands that mostly have very competent security departments, the majority operate under franchise agreements negotiated many years ago, before PCI existed. That means that the brands have little or no contractual power to force their franchised hotels to comply with PCI.
Each hotel is typically an independent business and merchant, and while of course they should adhere to PCI, the fact is that many don’t, especially among the smaller and non-brand-affiliated hotels. Many hotel General Managers and Controllers truly believe that if they buy a PA-DSS compliant system, they need do no more, that they have met PCI requirements. Many also believe that they are too small to be a target. These conclusions are of course wrong, but they’re not unreasonable conclusions for someone with no IT or security background to reach, and they meet the test of common sense that many laypeople would apply.
And make no mistake, PCI compliance costs money, potentially a lot of money. Any small business owner in ANY industry looking at the PCI requirements (which few small businesses have ever seriously done) is likely to conclude that they can’t afford full compliance. You, I, and the major hotel brands may look at it differently, but we’re not the ones running the systems that aren’t compliant, and we have to convince the people who are. The major hotel brands have invested a ton in security for the systems that THEY own and manage (such as reservations systems), but most of them have NO control over systems that the hotels themselves own and manage. Hotel managers ultimately answer to the owner of the building, not to executives at their affiliated brand.
Because of the inherent disconnect between the need and the ability of many smaller hotels in particular to respond, our association supports efforts to entirely remove sensitive data from hotel systems, a direction many major hotel groups are taking. In fact we were one of the first industries to publish a standard message set for proxying credit card data into a secure vault that could be managed professionally, to remove it from local systems. We are further supporting E2EE-from-the-swipe-device efforts that will allow sensitive data to be handled in complete isolation from local systems. But these efforts will be for naught if the people at individual hotels, who are responsible for purchasing systems, don’t understand what they need to do, and what to ask for.
In an industry with many small owner-operators, trade and professional associations play an important role in communicating critical messages that affect the entire industry. We understand our constituents and their issues, and we talk to them in a way they can understand. They don’t read security publications or PCI bulletins, but they do read material coming from their own trade publications and associations. We could have simply published the PCI manual (and apparently that’s what you’d like us to have done), but we felt it was more important to have them read something that they might actually act on.
The message of which you seem so critical was vetted extensively with senior players in the QSA and forensics communities and at card associations, and their feedback was uniformly very positive – in fact the Director of Incident Response at a major forensic investigation company, who has investigated hundreds of hotel breaches, said this was “exactly” the message he would have written.
So no, it’s hardly an awakening for our industry, it’s part of a long and difficult campaign to persuade small business owners of the risk and of the need to act to manage it. If those who haven’t done so by now need to have the message dumbed down a bit in order to be persuaded, then so be it. There are solutions in the hotel marketplace today that can provide top rate security, but it doesn’t matter a whiff if the people who need them don’t buy them.
April 10th, 2011 at 6:46 pm
Douglas,
Thanks for the thoughtful and detailed comment. I appreciate that the hotel industry is made up of many smaller, independent operators. I also appreciate that the industry associations are working to get the word out about PCI. My point is that hotels — maybe especially the smaller operators — are particularly vulnerable to a data compromise, and just because they are small or technically lacking is no excuse for not protecting the data of their guests (mine included!).
I want to commend your and your colleagues efforts on encryption. But as an association, I would like respectfully to suggest you might do more. For example, it is my experience that most hotels use one of two property management applications. If that’s the case, could you perhaps have those vendors conduct workshops at your next association meeting to show operators on how to configure the app and protect cardholder data? Then, could you record the sessions and post them on your website so other members who could not attend can benefit?
Associations like yours are in a powerful position to have a positive impact on your members. If you haven’t offered PCI training webinars or other information, perhaps it is would be in your charter to do so? If you have, did you record them and publicize their availability widely and often?
My point is that your member hotels are not like other small businesses. The pizza parlor near my house has a standalone POS terminal, and it truncates the PAN on both copies of the receipt. I don’t worry too much about a compromise there. A hotel, however, stores loads of paper and electronic PAN data that attracts the bad guys. I therefore hold them to a higher standard than a small retailer who might not retain any data. Because I hold them to that higher standard — as a QSA and as a frequent traveler — I tried to make the point that just doing part of PCI was not good enough. I think they have to aim higher.
I thank you again for your comments, and I appreciate very much your taking the time to respond to the column. –Walt