John PescatoreThere are reports that MasterCard now requires that Level 2 merchants (between 1 and 6 million annual transactions) now have to use an external Qualified Security Assessor for annual PCI auditing. Previously, Level 2s could do a self-assessment. While Gartner has pointed out there are many problems with the PCI QSA program, there are even more problems with self-assessments. When done right, we see many larger Level 2s bringing in external assessors anyway – there is a reason why separation of duties and “don’t let the fox guard the chicken coop” are standard goodnesses. I’ve seen PCI external audits very often be the tipping point from “let’s document compensating controls” to “let’s address the problem that is putting card data at risk.”
On a related front, a number of merchant groups sent the PCI Security Standards Council a set of well thought-out recommendations for improving the process – including the common sense request to give merchants the option of not storing card data at all. Rather than leap to questionable new requirements like “end to end encryption,” reducing the number of places card data is stored and handled should be paramount.
I previously yattered about some good first moves Adobe has made in emphasizing improving the security of its software. Adobe and Microsoft did a joint blog post on how they worked together – good stuff. Back in the 2002-2003 timeframe when Microsoft finally began taking security seriously, I did a lot of digging into what they were doing, looking for one major inflection point: when would I see product managers, not just engineering, begin to have their success measured on how well the product protected customers, vs. mostly just measured on ship dates, market share and feature-itis. Haven’t quite seen that Adobe is there yet, but definitely headed in the right direction.
Apple made the iPhone software update available this week – I can finally type with a large keyboard right in the iPhone mail client, though typing on glass is still about as much fun as trying to play the piano with a spatula in each hand. But, Apple also included a passel of security patches in the release, generally all before any attacks have been seen in the wild. I would rather see Apple have the security patches pushed out individually as soon as they are ready, but Apple is nowhere near reaching that level of enterprise security maturity – more enterprise pressure needed.
Category: Uncategorized Tags:
2 responses so far ↓
1 Doug McLean June 19, 2009 at 5:10 pm
It IS goodness that the Level 2 merchants can no longer guard their own hen houses. We just have to keep in mind that compliance does not equal security. Heartland Payment Systems passed their PCI audit less than two weeks prior to being breached.
2 John Pescatore June 19, 2009 at 5:27 pm
Yes, agree big time = compliant definitely does not mean secure. Sometimes it means reporting that at a given point in time you were secure enough – but most often it doesn’t even mean that. Compliant means you fulfilled reporting requirements to convince someone else you are as secure as *they* think you should be. Compliance is mostly about the convincing, not the securing.
Now, any security audit is just a point in time – whether it is an exhaustive, real live security audit or just a compliance exercise. The minute something changes, the results of the audit are no longer valid – the fact that Heartland had an incident may or many be an indictment on the audit process. PCI does have requirements for continual monitoring but an annual audit can only check that such a process exists and hopefully validate its effectiveness, but not continually check that it is continually effective.
That’s life in the real world – that’s why banks still get robbed after all these years of physical security.
Leave a Comment