PCI Compliance does not equal security

Almost all the major data breaches that have happened in the last 2 years have involved companies that were supposed to be PCI compliant. If being compliant meant that they were secure, then how could they have been breached?

There are two ways it could have happened. One, if the QSA did not do a good job, they may have got the PCI compliance certification even though they were not actually compliant. Two, the QSA did everything properly, but even after complying with the PCI requirements, they were not secure.

Let’s assume that the QSA did a proper job and look at the second reason. Let’s narrow down the scope to a web application to keep this discussion short. PCI-DSS has a set of requirements for web applications. They are supposed to be developed according to OWASP best practices and also tested for the vulnerabilities listed on the OWASP website. PCI-DSS also says that every web application has to undergo a penetration test once a year and a vulnerability scan once every quarter. These can be performed by a PCI-ASV (Approved Scan Vendor).

If the person that did the vulnerability assessment and/or penetration test was not competent enough to pick up all the problems, the report will not reflect the vulnerabilities present in the web application. During a PCI assessment, the QSA will look at the reports of the vulnerability assessment and penetration test. As long as they are clean with no problems, the QSA will go on to the next item.

A debate that has been going on for a long time is whether the application needs to be tested with credentials or not. PCI-DSS does not explicitly state that they need to be. So, many ASVs just test web applications without credentials. That means they are only testing URLs that are visible to any user. There might be a huge part of the application that was never tested.

If you look at the 7Eleven, Hannaford Brothers and Heartland Payment Systems breaches, they were all PCI compliant but they still had a huge SQL injection vulnerability that was exploited by the attacker to gain access to over 130 million credit cards. Now, Heartland’s CEO wants to hold their QSA responsible, saying that they should have caught the SQL injection vulnerability. But unless the QSA company also did the penetration tests and vulnerability assessments, he is not going to have much luck. The QSA company will just say that the reports that were provided to them were all clean.

Another thing to remember is that applications/networks are constantly changing. The PCI assessment, even though they require processes to be in place, is a snap-shot in time. Things could have changed after the assessment, but before the ROC was completed. So, you can be PCI compliant without being secure.

That is why it is important to understand the spirit of the requirements and follow secure processes all the way.