The Payment Card Industry Data Security Standard (PCI DSS) is fast becoming the de facto standard for securing critical infrastructure across many industries. This is because a large number of businesses (much larger than originally envisioned) process credit cards and are, therefore, required to be PCI compliant. The PCI DSS, unlike other regulatory regimens, codifies best practices through precise and specific requirements for implementation and compliance audits. The recent spate of data leaks and security breaches have also sparked a sense of urgency amongst businesses to become PCI compliant in the hope that the implementation will improve their security as well.
All these factors have resulted in an increasing demand for PCI solutions, which in turn has led to a proliferation of vendors offering PCI solutions. A quick search for “PCI DSS” on Google reveals over 50 sponsored links for products ranging from vulnerability scanners to remediation services. You know you have a problem when vendors offering products as diverse as network firewalls and encryption each claim to offer the “best PCI DSS solution.” In this paper, we attempt to clear the confusion caused by such broad-based claims.
Claim 1 – Single Product for PCI Compliance
Reality – Our research validates that using a single product for PCI compliance is not possible, especially if you are a Level 1 merchant or Payment Processor. Even though large vendors like IBM, Symantec and McAfee offer full coverage, this is often accomplished using a combination of products and services. Do not underestimate the service costs here, as any gaps in functionality will get implemented on your dime. The total cost of ownership (TCO) on such solutions will be huge because of the lack of integration between the product s that will need to be implemented. Furthermore, only a small fraction of the products in such offerings will be best-of-breed. This will force you to live with severe limitations despite the large implementation cost.
Recommendation – As part of your planning exercise, consider short-listing a set of vendors for each PCI category. Consider taking inputs from your qualified security assessor (QSA), analysts like Gartner and Forrester, and your peers in the industry. Ideally, make the purchasing decision only after implementing the product in a test environment and getting your QSA’s nod.
Claim 2 – PCI compliance is expensive and you need to buy 10+ products
Reality – While this may be true for a large Level 1 merchant or payment processor, specialized environments like retail stores can reduce the cost of compliance by implementing only those requirements that are really required to secure their infrastructure.
Recommendation – Before you start looking for any PCI product, carefully consider all the requirements and consult your QSA about best practices used by others in your industry. Network segmentation, OS hardening and internal risk management processes can be used to reduce the scope of infrastructure or the number of requirements that need to met for PCI compliance.
Claim 3 – Product covers 11 out of 12 PCI requirements
Reality – Surveying the marketing material of many vendors and illustrates this type of messaging quite often. More often than not, this represents an effort to make the product seem capable of doing more than it really can. There is always some truth in these claims, but coverage of 1-2 easily met requirements is not quite the same as full coverage of a particular section.
Recommendation – Beware of vendors bearing products that cover entire sections of the PCI DSS. In our opinion, there is only one section (PCI section 5) that can be completely covered using a single product (anti-virus).
Claim 4 – Product covers 120 out of 200 PCI requirements
Reality – This is another manifestation of the previous claim. In this case, vendors cherry pick all the requirements that their products can directly or indirectly relate to. In this case, it is important to distinguish the difference between “Relate to,” “address,” and “cover,”
because these products cannot by themselves secure your infrastructure.
For instance, one vendor claims they can monitor the changes to anti-virus programs mandated in section 5. However, this product is not an anti-virus product by itself, and hence, such a claim is not consistent with the spirit of the PCI DSS requirement.
Recommendation – Do not look at the PCI DSS as a checklist you have to cross off. Instead, use it as a stepping stone to improve your IT processes and security. Your customers and business will respond favorably.
Claim 5 – Use products sold by a QSA and you’ll never worry about compliance
Reality – Talk about the fox guarding the hen house. Five of the top six QSAs also offer products that can be used in remediation. This leads to a huge conflict-of-interest because the QSA will never produce an adverse report on compliance when you are using that company’s product.
Recommendation – Unless there are very good reasons, stay away from your own QSA’s products. Instead, use a product from a different QSA or vendor. We anticipate that the PCI council will soon mandate this.
After analyzing various claims and common pitfalls encountered in the process of becoming PCI compliant, we find that PCI compliance is neither easy nor cheap. But the PCI DSS is one of the first attempts to make sure that IT organizations are following a minimal set of best practices. It follows that PCI compliance, by itself, is not going to guarantee your business’s safety. To do so requires a greater focus on secure processes, for which the PCI DSS is an excellent starting point.
*Image from purpleslog’s Flickr photostream.