The Man Behind The Standard

We grilled Troy Leach, technical director for the PCI Security Standards Council (PCI SSC), on the findings of our research into the industry's reaction to the PCI Data Security Standard (PCI DSS). The first part of the interview, conducted by Integrated Solutions For Retailers Associate Editor Erin Harris, is available in podcast form at ismretail.com.

In the latter half of the interview, we questioned Leach on the findings of this report. Here's how the conversation went.

The PCI DSS has created quite a bit of marketing fodder for companies selling security-enabling solutions. Do you have an opinion on specific technologies that retailers should deploy to achieve security?
Leach: Historically, the council has tried to remain technology-agnostic. With certain aspects of the introduction of these types of technology, the council recently proposed an "emerging technologies RFP," and we've just selected a vendor to, over the next few months, look at specific technologies, analyze how they relate to the requirements, and determine whether or not there are technologies out there that will enable merchants to reduce the overall volume of validations they need to comply with. Any technologies that specifically endeavor to reduce the footprint of cardholder data clear a path for further compliance initiatives, making them much less taxing on the merchants themselves.

How would you react to the following actual statement from a small independent payment software application vendor:

"I'll consider the PCI Security Standards Council something other than a band of career criminals and scamsters precisely one moment after they validate that using VeriFone's SIM.DLL obviates PCI DSS certification. The fact they won't proves beyond any shadow of a doubt that this whole thing is a ham-fisted rip-off."

Leach: This perception is something the council is sensitive to, and it goes back to the comment I made earlier about the council remaining technology- agnostic. You could have the best firewall and the best web application, but if you apply that in a way that is unintended, in other words, if you change the configuration rules or change policy rules, you can easily wind up with a very good product that has become noncompliant via improper use. So we have security standards for specific applications (i.e. the Payment Application Data Security Standard), and on our website we list the providers of such applications that have gone through the process of meeting those requirements. But you still need to adhere to another document we produce, the Implementation Guide. It's a guide to deploying these applications in a way that maintains a PCI DSS-compliant environment. What you need to avoid when you deploy a new application is "undoing" what you've done to achieve compliance. So, to the gentleman's point, it would be easy to just come out and say, "use this application." But the reality is that the security of those applications is going to be dependent on how they're being used in the greater environment and making sure that all the controls, from remote administration to logging requirements to debugging, are considered at the point of deployment in order for the application to be secure.

On The Web: Download Erin Harris' interview with Troy Leach in podcast form at ismretail.com.

The analogy I like to use is a vehicle. At the factory, they can create a car with tons of safety features, but you still have to obey the speed limits and operate the vehicle safely when it's out on the road.

There's confusion around compliance and what it means. Many survey respondents indicate they don't know what the standard is or have not achieved the standard. Yet 63% say they've been deemed compliant. We asked them who validated or deemed compliance, and 60% said self-assessment. Is that acceptable?
Leach: This is an opportunity to share with your readers that compliance is something that is separate from the PCI SSC. The council is responsible for the standards themselves [outlined elsewhere in this report]. How merchants demonstrate and validate compliance is determined by each payment brand individually.

There are 6 million to 7 million merchants worldwide who need to adhere to PCI DSS requirements. For smaller merchants, the payment brands require the completion of a Self-Assessment Questionnaire. Those questionnaires can be downloaded from the council's website, but we never see the results of those questionnaires. Within your question, you pointed out a significant differentiator. There's compliance, and then there's validation of compliance. PCI compliance needs to be a daily activity. Validation, the annual Self-Assessment Questionnaire or the annual act of bringing a QSA (Qualified Service Assessor) in to validate that a merchant is compliant, that is just a demonstration that all of these controls have been in place all year long, and that the merchant has been PCI-compliant all year long.

We sometimes see that when someone becomes PCI DSS-compliant, they feel they have another year before they have to demonstrate that again. So they think they don't have to worry about their firewall and their monitoring until next year. Then the assessment time comes around, so they dust off all the policy documents and monitor logs the month before the assessor shows up.

At one time in my career I was a HIPAA (Health Insurance Portability and Accountability Act) assessor, and I had an engagement where the client had a medical facility with lots of open medical record files. The cabinet had many drawers open, the closet where it was stored was continuously unlocked, and people were just walking in and out. So when I mentioned that this didn't seem to meet the requirement, they said, "Don't worry; when our auditor comes in, we lock the cabinet doors, lock the closet, and he passes us because it's secure." It's the same concept; they're compliant, and they need to validate that compliance.

Most of our tier-one respondents indicated that companies like VeriSign and Trustwave have deemed them compliant or are deeming them compliant on an ongoing basis. Is this what we should expect to see moving forward?
Leach: Among those types of organizations, we're seeing more companies moving toward using a QSA, especially in light of some recent activity on the council. We launched a quality assurance program just for the QSAs last year, where we've made sure that opinions rendered by those QSAs are consistent, both within QSA companies (some of which employ more than 100 assessors) and from one QSA to the next. We've made great strides in aligning these assessors in the past year and making sure those opinions are consistent. I believe that's had a positive impact on the confidence of these tier-one merchants as they decide whether or not to use these QSAs.