Heartland and PCI
Martin Mckeay, Mike Dahn, Anton Chuvakin and a lot of others are talking about the impact and/or the meaning of the Heartland breach on PCI. It raised the debate about compliance versus security, with valid points on “doing security first” and “security and compliance only have few points in common”. I agree with both, but there is also something else that’s not being mentioned.
PCI and regulations in general are usually written to address issues that cause more risk and are more common. They are also built to fit most of the target organizations. That means that every organization has its own particular risks and characteristics that may be a very important security concern but that is not necessarily addressed by the standard. To address everything for everybody on the standards would make the cost related compliance AND validation something huge, out of the scale of reasonable costs for risk mitigation.
There is a way to solve that by building risk management based standards, like ISO27001, but they are usually more expensive to implement (and to validate). Also, those standards work very well to deal with risks to the organization, not to third parties (like cardholders), though considering audit issues and fines a risk themselves can help on fixing this “glitch”. Honestly, to complicated for me, I don’t believe that the results from implementing those risk management systems are not proportional to the costs.
If both ways of writing (and using) regulations are flawed, what are our alternatives? I’m still not sure, but I think that maybe a mixed approach could bring better results. I also think that threat detection is considerably underestimated and could be improved by forcing some real time collaboration among organizations. Feeding data from several different organizations defenses (like firewalls and IDSes) into a massive correlation system would probably bring the same benefits that the current card fraud detection mechanisms are delivering for years.
I whole-heartedly agree with you. Having one catch-all set of regulations and standards for something as complex as compliance means that in the best case, one party is getting what they want while others suffer, and in the worst case, everyone is paralyzed.
Although your example of the current credit card institutions, and the manner they federate data is one of the better examples for how fraud data is shared among affected parties, it still falls short of what it could be. Merchant organizations still must jump through many cumbersome compliance hoops in order to share credit card information with one another; even in situations where both organizations are part of a common global company. It’s been my experience on multiple occasions where I knew with certainty the bad guys had easier and more complete access to the data I needed than I did.
January 27, 2009 @ 8:21 pm