There has been a growing emphasis within the PCI Security Standards Council community on adopting a risk-driven approach to compliance. Recent developments in this direction are as follows:
- October 2010: PCI DSS v2.0 announced. Requirement 12.1.2 modified to mandate formal risk assessment as per ISO 27005, NIST SP 800-30, OCTAVE etc.
- Mid-2011: Risk assessment upgraded to Milestone 1 of the prioritized approach to PCI compliance.
- November 2011: Special interest group constituted by the PCI Council for risk-based approach to PCI compliance.
The above instances demonstrate a clear shift in the advisory strategy for PCI compliance. But how far is this really being deployed? Many organizations want a quick roadmap to PCI compliance, so they can get it out of the way and focus on core business activities. While some organizations have dedicated resources to manage compliance, many others don’t. In addition, there is a wide shortfall in their understanding of the concepts of cardholder data security.
Consider another scenario wherein a client mandates PCI compliance from a service provider with a tight deadline. In this case, the service provider usually merely implements the minimum necessary controls to meet the PCI requirements and the deadline.
The above scenarios depict the state of many PCI compliance exercises — a certificate that has verified minimum compliance, but cannot vouch for how robust or long term the risk treatment controls are. What are the gaps in such an approach to compliance? Let’s find out with a case study.
A vendor of movie tickets, iCinemas, is pursuing PCI compliance. Let’s put ourselves in the shoes of the employee — whom we shall call Tim — managing the PCI compliance project.
First of all, Tim will need to identify the scope of the project, covering the people, process and technology channels that store, process and/or transmit cardholder data. People log into the iCinemas website to book and pay for tickets, while others use the iCinemas Android application to do so. Therefore, the primary business processes within the scope are:
- E-commerce website of iCinemas
- Mobile payment application
These, in addition to their supporting infrastructure such as hardware (servers, network devices, cabling), software, and so on, are the technological constituents of the PCI scope. Employees who operate and manage these resources are the ‘people’ component of the scope.
Consider Requirement 3.4: Render stored PAN unreadable. PCI suggests four encryption methods, ranging from truncation to strong cryptography. Tim needs to select and justify the right option to protect the PAN, one that balances effective protection with cost.
Consider Requirement 4: Encrypt transmission of cardholder data across open, public networks. Tim will meet this requirement by encrypting transmissions sent over the Internet or Wi-Fi networks and ensuring that unprotected PANs are not sent via email, instant messaging or similar means.
What are the concerns with this approach?
- Asset identification and valuation: How can Tim be sure he’s truly identified all the entities involved in a transaction? The payment application server, the database administrator, the customer’s mobile phone and the mobile platform running the application (Android) all play roles with varying significance in transactions.
- Threats and vulnerabilities - identification and profiling: Tim has encrypted transmitted card data sufficiently as per Requirement 4. Now how does he identify an unforeseen threat vector? Perhaps this could be in the form of an employee intercepting the public network transmission, collecting encrypted card numbers, and decrypting them using the keys that he noted by peering into his co-worker’s computer.
- Risk treatment: How does Tim make an informed decision when choosing a suitable and cost effective encryption mechanism?
The solution to all these questions lies in a risk-based approach.
A risk-based approach involves a formal risk assessment as the first step to the compliance exercise.
A sample formal risk assessment workflow comprises:
Scope->Assets->Threats->Vulnerabilities->Risk Profiling->Risk Treatment->Results Documentation
With a formal risk assessment, Tim defines his scope, identifies and valuates assets, and identifies and profiles threat vectors such as access channel, threat actor and motive, outcome and likelihood. He also identifies vulnerabilities, evaluates existing controls and safeguards and measures risk for each A-T-V.
The above risk assessment leads to a risk management process where Tim formulates a strategy for each risk, in terms of making a decision to treat, transfer, tolerate or terminate it. Factors such as risk value and cost of controls are considered. This helps provide a robust and optimized security posture for iCinemas, which exceeds minimum compliance.
About the author: Praveen Vackayil is an associate product and marketing manager at smart-ra.com. He holds a master’ degree in information systems and management from Warwick Business School, UK, and a bachelor’s in electronics and communications engineering from Anna University, India. Prior to smart-ra.com, Vackayil was with Infosys Technologies. He can be contacted on www.linkedin.com/in/vackayil
Please send you feedback to vharan at techtarget dot com. you can follow our twitter feed at @SearchSecIN.
This was first published in January 2012