Image copied from CSOnline article related to securing “pricelessness”.
Alex Hutton over at Risk Management Insight recently blogged about PCI-DSS being “…security through obscurity on a grand, grand scale.” I have a professional relationship with Alex and I know he enjoys blog bantering, so here goes.
Obscurity. I take issue with the word obscurity. Yes, it may sound like I am splitting hairs and Alex’s use of the word can probably be justified via Merriam-Webster. However, when I usually hear the phrase “security through obscurity” – it is usually in a negative context with the following attributes:
1. The asset being protected is usually not known about outside the company.
2. There are usually no (or effective) security controls applied to the asset to begin with.
Let’s start with #1. The bad guys know merchants and processors have access to and *possibly* store payment card information. No secret there. End of story.
For #2, there are numerous “prevent controls” outlined in PCI-DSS that if implemented properly and validated to be effective, provide a high level of protection to payment card information. So, it is reasonable to assume that in most merchant / processor cases, there are some security controls in place to protect payment card information.
A better word that Alex could have used in place of obscurity is maybe “isolation”. You can find some other valuable thoughts on obscurity over at “dmiessler.com”.
Later on in Alex’s post he states “…that PCI DSS is not necessarily concerned with Detection and Response.” I agree that once you are not able to prevent you are probably in trouble with some entity – but detect and response controls can significantly reduce and in some cases minimize loss forms as well as significantly facilitate “root cause analysis” (RCA) in cases of payment card related events and or incidents (read blog post by Don C. Weber – “get some”).
I am going through an exercise right now to go through PCI-DSS and tag every requirement to the type of control it is. I am about half way through it and amazingly the percentage of “prevent controls” is not significantly higher then the percentage of detect and respond controls (may post my findings in a later post). So, Alex – I think you missed the mark on the value of “detect and response” controls and the importance of it from a PCI-DSS perspective. You know that I am not a big fan of “value-fail” QSAs, but I do know some of the QSAs check for these controls and interview actors that participate in response processes to SWAG a level of effectiveness. Unfortunately, the ultimate determination is when an event or incident occurs. I would like to think that the card carriers and acquirers take this into consideration when determining fines for merchants or processors that are deemed to be culpable in breach incidents. Maybe not.
I support the underlying principles of PCI-DSS (see paragraph on commitment, here), especially since is such a significant portion of my current job responsibilities. However, I disagree with some QSA and processor approaches to determine if a merchant is compliant or not – especially when gauging the effectiveness of controls – which complicates articulating and managing risk associated with PCI-DSS compliance.