In the second of a two-part series, VPN Haus talks to PCI compliance expert Anton Chuvakin about cloud compliance and the prevalence of the “it won’t happen to my company” attitude. Last week, we spoke to Chuvakin about the way the industry has misunderstood – and undervalued – PCI standards.
VPN Haus: You’ve mentioned that some companies take a “nobody wants to hack us” attitude to compliance. What kinds of companies tend to take this approach? What kinds of companies tend to be most vigilant – ones that have already had a breach?
Chuvakin: While many in the security community would quip that only stupid companies would say that “nobody wants to hack us,” reality is slightly more complicated. Perception of electronic and digital risks does not come naturally to people – and IT managers and directors are people too. So many organizations will severely underestimate computer risks and, sadly some would pay with their very existence for this mistake…
In regards to more vigilant organizations, you are correct: breached companies are indeed more the vigilant – but only for a certain time. Some say a breach gives a boost to security awareness elevated vigilance for about a year.
VPN Haus: Are the consequences of a security breach for PCI companies enough of a deterrent?
Chuvakin: Apparently not. Just look at all the companies that only pay lip service to security and PCI compliance, and then get upset after they are breached. Don’t get upset — the breach is a natural result of your own behavior, please learn to take the responsibility.
VPN Haus: How would you describe PCI’s approach to the cloud? Everyone seems to have an opinion on the cloud, but it seems like PCI has been quiet on this front.
Chuvakin: It is quiet [because] Requirement 12.8 that covers service providers addresses it just fine. [The requirement states,] “If cardholder data is shared with service providers, maintain and implement policies and procedures to manage service providers …” No need to say anything new on the subject, for the most part.
VPN Haus: So basically, the PCI compliance applies to service providers or cloud providers if they have cardholder data?
Chuvakin: Yes, of course. PCI DSS has – and pretty much always had – a section about the responsibilities of a service provider.
VPN Haus: Is there anything that we haven’t covered that you think is relevant or that you’d like to discuss?
Chuvakin: Like we say in the PCI book, “The best way to protect the data from hackers is to delete it.” People should learn that the best approach to PCI is reducing the scope by eliminating card data storage and movement from their environments. If there is a way to change their business process to reduce handling of cardholder data, it should be taken first. Only then – after the data elimination/reduction step is taken – think of encryption, firewalls, application security and other security controls. Outsourcing data handling all together – if possible – is a good way to take this approach as well.
VPN Haus: Would outsourcing your data handling actually increase risks, as you can’t control a third-party vendor’s compliance but you can control your own?
Chuvakin: No, not at all – because – pardon my French – that “you” mentioned in the above is typically an idiot – in regards to security. Their environments are “owned” and card data is being stolen every day. Think of outsourcing as “do you store a lot of CASH in your restaurant/hotel/business?” “No, you ‘outsource’ it to the bank” – “then WHY oh WHY do you insist on writing your own card processing software?” Check out this recent paper: http://www.rsa.com/innovation/docs/10990_CDS_BRF_0610.pdf. Most every PCI expert would agree that payment protocols just doesn’t belong inhouse.
Anton Chuvakin is a principal at Security Warrior Consulting, specializing in PCI DSS, SIEM and log management services for security vendors and enterprises. He also runs the Security Warrior blog and is based in San Francisco.
[tweetmeme source=”vpnhaus” only_single=false]