Caught within the PCI-DSS box

PCI-DSS is slowly and steadily rising on the priority list of a lot of companies. At AppSec Consulting, being a Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV), we have noticed quite an upsurge in requests for PCI-DSS related work from a lot of companies of varying sizes. PCI-DSS came into being to ensure that card holder data is secured by merchants, payment processors, issuers, etc. So, what is wrong with this picture?
Well, sometimes good things can also have a bad side. And one of those sides seems to be peeking out. Everyone is so concerned about being PCI-DSS complaint that they seem to be forgetting that there is a world outside of PCI-DSS. In my previous post, I talked about the intent of PCI-DSS and how it is sometimes (mis)interpreted.

PCI-DSS’s primary goal is to protect Card Holder Data (CHD). This data is credit card numbers, CVV, track data, etc. When you start a PCI-DSS compliance project, any competent QSA will tell you to reduce scope. This means isolating anything that transmits, stores or processes CHD. Only this part of the organization/environment will be in scope for the assessment. What happens to all the other applications and network components? Well, the QSA does not have to go there or verify the security of those components.

The problem is that when PCI-DSS looms large, it is easy to lose sight of the other components that are out of scope. You can do everything right within the PCI-DSS environment and not be secure at all outside of it. How can we prevent this situation? The first thing that you have to realize is that PCI-DSS is not the “be all and end all” for security. What you need is to develop a culture of security across the entire organization. PCI-DSS is just one of the standards that provide a framework.

For instance, PCI-DSS requires you to review firewall rules at least every 6 months. This is good advice. But are you doing it for all firewalls within the organization or are you doing it for just the components in scope for PCI-DSS? It is easy to argue that when you are facing a deadline, you cannot look at the whole organization. That is the point. Before you even think about PCI-DSS, you need to put in place all the policies and procedures that will determine your entire organization’s security posture. If everything else is in place, PCI-DSS becomes just another check box and it will actually be easy to become compliant.

I am still surprised to see so many organizations not even have basic security in place. This after so many high profile breaches that have become front page news. There are always things to do. Not securing your assets (data, network, etc) can become a major headache, financially as well in terms of effort. At the earliest opportunity, it is imperative that you review your current security posture and take appropriate steps to bring it up to par, if need be. Look at the whole picture, not just through the PCI-DSS lens.