PCI Security: Q&A with Anton Chuvakin, PCI Compliance Expert
VPN Haus: You've noted that <a href="https://www.pcisecuritystandards.org/">PCI standards</a> were intended to provide a minimum foundation of security, but the standards are instead treated like an upper limit. What kinds of risk does this approach pose?
Chuvakin: Indeed, PCI DSS and other PCI standards were intended as a baseline set of security practices, not as a comprehensive, upper limit on security. For various reasons, it is hard for many organizations to understand that. What results is a false se
VPN Haus: What is the greatest security risk in the payment card industry today?
Chuvakin: Massive arrays of unneeded stored card data - sometimes even undocumented and unauthorized - likely present the biggest risk. The stories of card data databases and large files with PANs and expiration dates abound. Such "repositories" of car
Beyond that, there are multiple other high risk areas. Wireless is still one of the weak points, despite TJX and other breaches. Poor network segmentation where cardholder data resides on the same network as other non critical, often compromised, systems is another. Finally, insecure web applications are also one of the top vectors for card data theft.
VPN Haus: Do retailers put more emphasis on securing data once it reaches the corporate headquarters, leaving their retail stores more vulnerable?
Chuvakin: Yes, this is very common. While the corporate data center might be guarded by fulltime security professionals, many stores want have such resources even on call. That is why wireless attacks against individual stores were so successful. Combin
VPN Haus: Who is ultimately held accountable for data breaches among PCI-member companies? Do you think this system of accountability is effective?
Chuvakin Well, that is a hard question. We must mention up front that the attacker stealing data is certainly the main responsible party. If the data is stolen from a merchant due to his blatant disregard of security practices and PCI guidance, than the
VPN Haus: What needs to change for the industry to adopt a "security and risk" mindset versus a "compliance and audit" approach?
Chuvakin: Now this is what is called "a $1,000,000 question." The answer is very simple: I don't know. There are many reasons why companies prefer to focus on a simpler "checkbox audit" and not pay attention to a complicated "risk science." The only half-
Next week VPN Haus continues this conversation with Chuvakin, tackling the mysteries of compliance and the prevalent “it won’t happen to my company” attitude.
Anton Chuvakin is a principal at Security Warrior Consulting, specializing in PCI DSS, SIEM and log management services for security vendors and enterprises. He also runs the Security Warrior blog and is based in San Francisco.
[tweetmeme source=”vpnhaus” only_single=false]