As a QSA, we hear this comment all of the time.
“PCI is all about compliance, not security.”
The implication being that the person talking is interested in actually securing their environment not just being PCI compliant.
Yet as the conversation goes on, we get into esoteric discussions regarding scope and how scope can be minimized. Not necessarily a bad thing, but as these discussions continue, an underlying theme becomes apparent.
This conversation eventually leads to the QSA asking, “What are your drivers that are making you so concerned about minimizing scope?”
The inevitable answer is, “Because, we want to minimize the cost of and/or difficulty in implementing (in no particular order) information security, increasing information security personnel, how many devices we vulnerability scan and penetration test, critical file management tools, anti-virus licenses, devices needing log aggregation and analysis, [insert your security tool/product/device/appliance/widget here].”
It is at that point it becomes painfully obvious that the organization is not at all interested in security. In fact, they do not give a damn about security. Their only interest is in checking off the PCI compliance box and moving on to the next annoying compliance checkbox on their list.
I am sure a lot of you are questioning, “How can you be saying this?”
Because, if the organization were truly interested in security, all of the things they mention in their minimization discussion would already be installed in their production environment, if not QA and test environments. That is right. They would already be installed and not just on the PCI in-scope stuff. It would already be installed everywhere in those environments.
Why?
Because all of these security tools and methods are part and parcel of a basic information security program that follows information security “best practices”. They are not special to PCI, they are required for any successful information security program such as HIPAA, FFIEC, FISMA, HITRUST, etc.
People seem to think that the PCI SSC and the card brands came up with the PCI DSS requirements by arbitrarily pulling the requirements out of thin air. In fact, I have had people insinuate that the PCI standards are just there for the banks to be mean to merchants and extract more money from them.
But in actuality, the PCI standards come from a lot of recognized sources including the US National Institute of Standards and Technology (NIST) security standards and guidance, US Department of Defense (DoD) security standards and guidance, as well as “lessons learned” from the card brands’ cardholder data breach forensic examinations and working with information security professionals sharing their knowledge of what are the minimum, basic “best practices” required to secure data.
But the key words here are ‘minimum’ and ‘basic’.
Because guess what? If you want true security (remember that thing you supposedly wanted when we started), then you have to go beyond the PCI DSS requirements. Hear that people? If you want true security, your organization must go BEYOND the PCI DSS requirements. Organizations are complaining about doing the basics. Imagine what their complaints would be like if they had to do true security? They would be throwing a tantrum that would be easily heard around the world.
Want actual proof that organizations are not doing the basics?
Read the Verizon Data Breach Investigation Report (DBIR) or any of the dozens of data breach reports issued annually by forensic analysis firms. They all read the same; year after year after nauseating year. Organizations cannot consistently execute even the basic security requirements specified in any security standard. Even more disheartening is the fact that it is the same vulnerabilities and mistakes that are the root cause of the vast majority of breaches.
QSAs still get complaints from organizations about the PCI DSS being too difficult and costly to implement and maintain. Yet these same organizations have the gall to say that PCI is NOT about security.
So, before you go and tell your QSA that PCI is all about compliance, think long and hard about that remark and why you are saying it. Odds are you are saying it to look good, make a good impression with your QSA, show them that you are a true security professional and that your organization wants to be secure.
Think again. The truth will eventually come out. One way or another.