Is Compliance to the PCI DSS Enough?

In light of the recently reported breaches, in particular those of Target and Neiman-Marcus where the likely attack vector was memory scraping malware in the Point of Sales (POS) equipment, there has been discussion over compliance to the PCI DSS, security provided and using certified components.

Compliance to the Payment Card Industry (PCI) Data Security Standard (DSS) does NOT mean that a merchant or service provider will be secure, the standard is the minimum set of security controls that should be implemented as part of due diligence in protecting card holder data.

The annual audits carried out to verify compliance to the standard are a snapshot in time that a merchant or service provider have implemented the requirements and there is evidence available that controls have been operating correctly since the previous audit. Although many of those involved in any auditing system, on both sides; will say that evidence provided may not show the true picture and often a large of amount of effort is put in by those being audited prior to the audit occurring to ensure evidence is up to scratch. I am not implying this happened in the recent cases of breaches.

With merchants such as Target and Neiman-Marcus, they are not going to develop their own systems for POS and payment processing, but use commercial products. The PCI Security Standard Council (SSC) have in addition to the DSS, issued a number of other standards covering card data processing applications and payment transaction devices (PED, PDQ etc). These allow 3rd party vendors to have their products (hardware and software) tested to see if they support the requirements of the PCI DSS and have them certified to show this. The intention of these standards is to help merchants and service providers meet the PCI DSS requirements by using certified components within their systems. Auditors do not need to prove the payment terminal or payment application are correctly protecting card holder data as PCI SSC certified assurors have already verified the equipment.

For a merchant or service provider, the important part of using certified components is that they MUST be installed to the vendor’s instructions to ensure that they do protect card holder data. An auditor of the merchant or service provider, whether they are a (qualified Security Assessor) QSA, Internal Security Assessor (ISA) or an employee, has to verify that the certified components have been deployed as per the vendor’s instruction and NOT that they are just listed on the SSC website and ensuring the correct certified software, firmware and hardware is in place, however all of these actions are required.

It is important for merchants and service providers to understand that being compliant is not the same as being secure; more can be done to secure card holder data than just implementing the controls needed to meet the requirements of the PCI DSS. The use of certified applications and devices is an important step to meeting compliance BUT those components need to installed, configured and maintained to the vendors instructions for that component to offer the level of protection the certification implies. For those conducting PCI DSS audits whether for an RoC or an SAQ need to be aware it is not just the component is listed or that the component is of the correct revision for the listing but they’re to ensure the component is being used as per the vendor’s instructions.