PCI Security Compliance: Q and A with Anton Chuvakin

Friday, April 22, 2011

Anton Chuvakin


In the first of a two-part series, VPN Haus talks to PCI compliance expert Anton Chuvakin about the way the industry has misunderstood – and undervalued – PCI standards.

VPN Haus: You’ve noted that PCI standards were intended to provide a minimum foundation of security, but the standards are instead treated like an upper limit. What kinds of risk does this approach pose?

Chuvakin: Indeed, PCI DSS and other PCI standards were intended as a baseline set of security practices, not as a comprehensive, upper limit on security. For various reasons, it is hard for many organizations to understand that.

What results is a false sense of security and also a mistaken sense of betrayal [after a] breach.  A few organizations have commented that they felt “let down” by the PCI when they were breached, while in reality they were not even compliant at the time.

VPN Haus: What is the greatest security risk in the payment card industry today?

Chuvakin: Massive arrays of unneeded stored card data – sometimes even undocumented and unauthorized – likely  present the biggest risk. The stories of card data databases and large files with PANs and expiration dates abound. Such “repositories” of cardholder data are in many cases not even needed and present a perfect opportunity for attackers.

Beyond that, there are multiple other high risk areas. Wireless is still one of the weak points, despite TJX and other breaches. Poor network segmentation where cardholder data resides on the same network as other non critical, often compromised, systems is another. Finally, insecure web applications are also one of the top vectors for card data theft.

VPN Haus: Do retailers put more emphasis on securing data once it reaches the corporate headquarters, leaving their retail stores more vulnerable?

Chuvakin: Yes, this is very common.  While the corporate data center might be guarded by fulltime security professionals, many stores want have such resources even on call.  

That is why wireless attacks against individual stores were so successful. Combined with poor network segmentation, these present a risk not only towards card data passing through the store, but also main repositories in the datacenter.

VPN Haus: Who is ultimately held accountable for data breaches among PCI-member companies? Do you think this system of accountability is effective?

Chuvakin Well, that is a hard question.  We must mention up front that the attacker stealing data is certainly the main responsible party. If the data is stolen from a merchant due to his blatant disregard of security practices and PCI guidance, than the merchant is obviously responsible.

Only then, provided that merchant was doing a good job with cardholder security, we can start thinking about “blaming the system” of modern and the chronic payment technology.

VPN Haus: What needs to change for the industry to adopt a “security and risk” mindset versus a “compliance and audit” approach?

Chuvakin: Now this is what is called “a $1,000,000 question.” The answer is very simple: I don’t know. There are many reasons why companies prefer to focus on a simpler “checkbox audit” and not pay attention to a complicated “risk science.”

The only half- answer I can suggest is explaining how compliance slash audit approach to security is faulty in the hopes that an more organizations would start thinking about their risks…

Next article VPN Haus continues this conversation with Chuvakin, tackling the mysteries of compliance and the prevalent “it won’t happen to my company” attitude.

Anton Chuvakin is a principal at Security Warrior Consulting, specializing in PCI DSS, SIEM and log management services for security vendors and enterprises. He also runs the  Security Warrior blog and is based in San Francisco.

Cross-posted from VPN Haus

Possibly Related Articles:
Information Security
PCI PCI DSS Compliance Security Audits QSA Security
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.