StorefrontBacktalk

Why Are You More Afraid Of A QSA Than A Cyberthief?

Written by Walter Conway

December 16th, 2009

Do cybercriminals concern you? Are you afraid that you might lose cardholder data? Are you worried that your internal users are downloading malware from the Web? If so, PCI Columnist Walt Conway has a question for you: Why are you more afraid of your QSA than you are of a cyberthief?

Consider this example: A merchant shows its QSA its Web application firewall (WAF) and asks the QSA to mark it compliant with PCI Requirement 6.6. But the QSA probes deeper, and he finds that the WAF is in “learning” mode, which means it is letting everything through. Indeed, the WAF has been in learning mode since it was installed after the last assessment a year ago, meaning it is pretty useless from a security point of view and definitely not meeting the intent of the requirement.

This Story Is Only Available For Premium Subscribers. Click Or Login In Below To Read The Rest Of This Story.

Already a Subscriber? Login Here

Username
Password
Login
Forgot Your Password? \| Site License

Pages: 1 2

Posted in IT Strategy/Industry, Payment Systems, Premium Content, Security/Fraud

3 Comments | Read Why Are You More Afraid Of A QSA Than A Cyberthief?

Ryan Barnett Says:
December 16th, 2009 at 4:59 pm
I work for Web Application Firewall (WAF) vendor Breach Security and I couldn’t agree with you more about the unfortunate *gotcha* related to merchants attempting to address Requirement 6.6 by deploying a WAF however they never move into an actual blocking configuration. The intent of 6.6 is Remediation and if you aren’t blocking with your WAF then you missed the point. Another interesting topic related to PCI and WAFs is how should a merchant configure their WAF to handle ASV traffic? Should they whitelist the ASV domain entirely? Should they do their normal blocking? Seems as though each QSA has a different view on this topic :) There are valid reasons for each camp.
Biff Matthews Says:
December 18th, 2009 at 1:46 pm
I believe the issue is one of expense, the known absolute expense of addressing an assessor’s finding versus the unknown and possibly no expense if a breach does not occur.
What is the probability of being breached, therefore the cost versus the cost of implementing greater security that may or may not be breachable.
The fact that one is judged to be not in compliance by the mere fact that it is breached even after adhering to all the PCI requirements is another oxymoron.
PCI in my opinin is a fear tactic by the card associations to drive the small and medium size players from the acquiring business in an effort to reduce the number of members they must manage therefore dramatically reducing the association’s overhead.
Walt Conway Says:
December 21st, 2009 at 7:35 pm
Thanks for the comment, Biff. I do want to take issue a little with two points you make.

You imply that the cost of a breach is less than the cost of compliance. I disagree. While I agree that the probability of a breach may be low, it is growing, and with the high financial, legal, infrastructure, business interruption, and brand damage costs associated with a breach, the cost of compliance is lower. I really believe (and I’ll admit to some bias) that the cost of compliance is less than the cost of noncompliance, even if we adjust the cost of noncompliance by the probability of a breach, i.e., Pr (breach) * breach cost > compliance cost.

You mention that “one is judged to be not in compliance by the mere fact that it [the merchant] is breached even after adhering to all the PCI requirements.” I don’t think I can agree with you on that one, either. The Council and the brands have said that no merchant that suffered a data breach was ever found to be PCI compliant at the time of the breach. I am not a big fan of that statement, at least partly because it seems to taunt every bad guy out there. Nevertheless, their forensics bear them out. The statement about not being compliant is based on the forensic investigation identifying the source of the breach, not the sole fact that a breach occurred.

Besides, PCI is a data protection standard, not a security standard. I could argue that PCI assumes your systems will be breached, and that is why you need to protect the cardholder data you are storing.

Readers, specifically those who want to comment on a story:
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk.com? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.

Weekly, Monthly Newsletters

Quickly catch-up on the latest in E-Commerce and Retail Tech with our free weekly report, with urgent bulletins as news merits—along with our monthlies on Mobile, Security, In-Store, E-Commerce and CRM.

Kindle Convenience - StorefrontBacktalk is now available natively on the Kindle so you can read us on the place without a connection.

Read StorefrontBacktalk's Retail Realities Column every week at CBSNews.com. Please click here for an archive of those columns.