What's the takeaway on Audit?
OK, so I edited the title, to fit in with an old Audit cycle I penned a while ago (I, II, III, IV, V, VI, VII).
Here's the full unedited quote from Avivah Litan, who comments on the latest 1.5m credit card breach in US of A:
What’s the takeaway on PCI? The same one that’s been around for years. Passing a PCI compliance audit does not mean your systems are secure. Focus on security and not on passing the audit.
Just a little emphasis, so audit me! PCI is that audit imposed by the credit card industry on processors. It's widely criticised. I imagine it does the same thing as most mandated and controlled audits - sets a very low bar, one low enough to let everyone pass if they've got the money to pay to enter the race.
For those wondering what happened to the audits of Global Payments, DigiNotar, Heartland, and hell, let's invite a few old friends to the party: MFGlobal, AIG, Lehman Brothers, Northern Rock, Greece PLC, the Japanese Nuclear Industry disaster recovery team and the Federal Reserve.... well, here's Avivah's hint:
In the meantime, Global Payments who was PCI compliant at the time of their breach is no longer PCI compliant – and was delisted by Visa – yet they continue to process payments.
That's a relief! So PCI comes with a handy kill-switch. If something goes wrong, we kill your audit :)
Problem solved. I wonder what the price of the kill-switch is, without the audit?
Posted by iang at April 10, 2012 06:41 PM
last century we were tangentially involved in the cal. state data breach notification legislation. we had been brought in to help word-smith the cal. state electronic signature legislation and several of the other participants were heavily into privacy issues. They had done detailed, in-depth citizen surveys and the no.1 issue was "identity theft" ... primarily the form of "account fraud" with fraudulent financial transactions as a result of crooks harvesting transaction details from skimming, data breaches, etc.
The standard issue is "security" is normally motivates an entity to protect their own assets. The issue with "account fraud" and "data breaches" were the institutions experiencing the breaches had little or nothing at "risk" (it was individuals and their transactions, that were at risk) and as a result little or nothing appeared to being done. It was hoped that the publicity from data breach notifications would result in corrective actions by the institutions (as well as giving individuals opportunity to take their own countermeasures)
PCI effort seem to start not long after the cal. data breach notification legislation was passed ... and seemed to go along with industry calls to repeal breach notifications (because of industry efforts like PCI). There have been numerous federal "notifications" bills introduced since then ... about evenly divided between requiring similar requirements to the cal. notification legislation and "federal preemption" notification bills that would eliminate most notification requirements
"Problem solved. I wonder what the price of the kill-switch is, without the audit?"
It's been a couple years since I have dealt with PCI-DSS ('08) so it may have changed but the price used to be where the financial burden of recovery fell, i.e. the required every couple months Visa auditors you have to pay for, the reissuing of cards, etc etc. If you were PCI compliant it fell on the next level up in the PCI issuing/processing hierarchy (as theoretically the outside auditors you hired reported to them and they had a responsibility to review your audit results and reject/accept them) whereas if you weren't it fell directly on you. The incentive (in theory) was suppose to be between the price of compliance with your issuer/processor and your local issuer. I know personally of one middle market client (~$300 million in revenue annually) that conscientiousness decided to simply insure against a PCI event over complying once they ran the numbers on PCI-DSS compliance post-QSA audit results. You could maybe argue the insurance company who did their policy didn't adequately capture the risk but I have doubts on that.
Ofc this all fails from a security perspective but makes perfect business sense.