PCI is Not Enough: A Two Step Approach to Pinpoint an Attack

By  Mike Rothman, SVP of Strategy, eIQnetworks
The message coming from the Heartland Payment Systems Breach is loud and clear. It's reinforcement of what seemed to be evident from the Hannaford Bros. breach last year. PCI is not enough. Merchants have been relying on PCI as a crutch. Comply with the 12 requirements and credit card data is secure.

Of course, anyone that has been in the security business for a while knows the folly of thinking that any set of requirements and controls will truly create security. Throughout my 20 years in the industry, that just hasn't been the case. Attackers are good and getting better. They are launching innovative attacks and rendering our defenses moot.

To be clear, there is value in the 12 requirements set forth by the PCI Security Standards Council. The PCI-DSS does a good job of laying the foundation for security, but just like you don't live just on a foundation and expect to stay warm and dry in the winter, you can't just rely on your security foundation for protection.

So what to do? If PCI is not enough, where should any organization dealing with credit card data spend their efforts? I recommend a two-step approach. The first step is to pinpoint the attack faster.

If we look at the three highest profile breaches of the last few years (TJX, Hannaford, Heartland), the way these breaches came to light were via the credit card brands, who's fraud management systems pinpointed a widespread breach. After analyzing the data, it was clear where the breach happened, so only then did the merchants find out. It was months or years later.

That is way too late. So job number one is to figure out that there is an issue. The way to do that is to more aggressively monitor technology systems. PCI requires only to aggregate and store log data. That's clearly not enough to understand a breach has happened. It's useful to have that data when the breach is discovered to isolate the issue, but it doesn't help notify an organization of a compromise.

Organizations should be monitoring the configurations on the devices that handle credit card data. They should also be looking for new executables and other unauthorized changes, which may indicate a problem. They should also be monitoring the flow of data on their networks to understand if data is leaving the organization's network.

Monitoring won't help to block the breach. But it certainly will help to minimize the damage.

Second, organizations should look at the security of their applications. Maybe adding encryption to the communications aspects of the application is appropriate. Maybe it's a better answer to lock down all the inputs the system and only allow certain devices to communicate with sensitive servers. Each application will be different, but clearly the longer-term answer is to ensure application security, likely using the PCI Security Standards Council Payment Application - Data Security Standard as a starting point.

Keep in mind that standards and frameworks are just the beginning, not the end all of any data protection strategy. Forget that and suffer the consequences. Heartland is learning that the hard way.

Mike Rothman is senior vice president of strategy for eIQnetworks (www.eiqnetworks.com), a provider of security and compliance management solutions that help companies react faster to emerging threats, automate their compliance efforts and more effectively monitor security policies.