Re: Compliance Is Wasted Money, Study Finds

[Paul Schmehl <pschmehl_lists () tx rr com>]

--On Tuesday, April 27, 2010 13:37:39 -0700 J Roger <securityhocus () gmail com> 
wrote:
> Is PCI Compliance a giant bluff from VISA? Have any large companies ever been
> forced to stop processing CCs because they failed to be PCI compliant?

They don't force you to stop processing.  They fine you.  VISA assessed $3.3 
million in fines in 2005 and $4.6 million in 2007 alone.

> According to the Verizon report 81% of attack victims were not PCI compliant.
> Ok then how is that they were still processing the CCs that became
> compromised?

You *do* understand that if the card vendors refuse to process cards they are 
arbitrarily shutting down a business, right?  So, when someone is breached, 
they're going to be fined and expected to get into compliance.  If they refuse 
or continue to have breaches, then the card vendors might refuse to accept 
their business any more.  But one breach is not enough to put a company out of 
business.  I doubt VISA could win that case in court.

> Or does VISA come in after a large company has PCI data breached and then
> claim "oh but they're not compliant because of X that wasn't correctly
> identified during their last audit"? How many of those breached companies
> were PCI certified at the time of the breach only to have it taken away post
> mortem.

PCI compliance is determined by approved third party assessors, not by the card 
vendors themselves.  If a compliant company is breached, the fines have a cap 
of $500,000.  There is no cap for non-compliant merchants.  Non-compliant 
merchants are also charged a higher interchange rate until they come into 
compliance.

PCI compliance isn't something you can have "taken away".  You're either 
compliant or your not, as determined by the third party assessor.  And you can 
be compliant today and fail tomorrow.  All you need is for one element to go 
out of compliance for some reason.

In 2007 VISA began fining their acquirers between $5000 and $25,000 a month for 
every merchant they serviced that wasn't compliant.  (The acquirers, in 
general, pass those fines on to the offending merchant.)

In 2009 Ponemon surveyed the PCI landscape and found that 22% of companies were 
in full complaince with PCI while another 53% were either mostly or partly 
compliant.  I suspect the fully compliant merchants were probably all or mostly 
all Tier 1.  79% of the companies surveyed had experienced at least on data 
breach that required disclosure.  So even among compliant or partially 
compliant businesses there were a significant number of reportable breaches.

If you think this is laughable, then strap on your super security man suit and 
start fixing it.  "Doing" security is a lot harder, at the enterprise level, 
than people realize.  For example, try identifying and remediating all the 
vulnerable versions of Java in your enterprise.  I'm betting you can't.  I 
recently checked, and the average workstation had more than fifteen (15) 
separate versions of Java installed, most of which are vulnerable, and none of 
which can be updated without breaking the application they were installed with.

Better yet, try getting a funtioning version of antivirus that is properly 
updating installed on 100% of your assets.  I'll bet you can't do that either. 
(Note I said 100%, not 99% or 98%.)  It's damn near impossible to maintain 
every single computer in an enterprise, without exception, to a secure standard 
100% of the time and have all of them functioning without problems 100% of the 
time.

Until software vendors get their act together and start building security in 
from the beginning of development, companies will continue to experience 
breaches.  Even in a perfect world of zero vulnerable software packages you'll 
still have to deal with the human element, which is demonstrably harder to 
overcome.

-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/