Test Your Skills! Become a CCISO
The High Price of “Faking” Your PCI Compliance Status
cover highprice - The High Price of “Faking” Your PCI Compliance Status

The High Price of “Faking” Your PCI Compliance Status

By Todd Bell
Global IT Security, Setting Strategy & Building Programs,
Rearchitecture Design

Introduction

During the height of the Colorado Springs fires, in which 346 homes were lost, another fierce fire was burning at a well-known company that was “faking” its PCI compliance status to its acquiring banks and the millions of customers they serve. It was appalling to watch employees of this firm, from Senior Managers to Security Managers to even a Principal Engineer go through spreadsheets and check off PCI compliance for applications and systems that were not properly validated and did not meet the PCI Standard. Our job, as sub-contracted consultants, was to review the razor-thin compliance evidence that was provided by system owners. Most of it was lacking proper screen shots for validation and was missing evidence to prove security controls were properly implemented. Our hired team continued to advise this Fortune 500 client that they were operating well below the PCI Standards, they did not properly understand the PCI Standard beyond just reading the PCI requirements, and that they did not understand the importance of PCI and the legal ramifications for failing to implement it. This level of neglect might be expected from an organization that is new to PCI or doesn’t have an IT focus, but the irony of this whole ordeal lies in the fact that this was a leading IT security company.
As a leading security company, they wanted to perform a PCI self-attestation so they hired a thirdparty consulting firm to advise them on how to properly achieve PCI compliance and to assist in rebuilding the entire Cyber Security Program. While the third-party company was hired under the guise of helping the client properly secure their environment, it was nothing like what we expected. The PCI council forbids QSA’s to engage in fraudulent activity, hence we could not engage in fraud and deliberately deceiving the acquiring brands and ultimately — millions of consumers. Unfortunately, this was not an exception and I have experienced similar situations three times over the past five years. Before this, I had experienced the same situation with a prominent Fortune 500 Company that had employees from one of the recently failed mortgage banks misleading the CISO and downplaying serious security issues. Another example of PCI fraud I have encountered occurred with a well-known retailer that was more focused on “gaming” the PCI standard than spending the money to fix the security issues to protect cardholder data.
One may ask why I didn’t report these three companies to the payment brands and the PCI Council, because aren’t I as culpable as the offender? During my QSA (Qualified Security Assessor) training over the years, I have learned about some individuals turning in their own clients that have committed PCI fraud, but it is frowned upon for many reasons. While no QSA company should be actively supporting a client that engages in deliberate fraud to deceive the acquiring banks, payment brands, or its customers. When a company performs either a self-attestation or has a QSA perform attestation, this is a legal and contractual commitment that has severe financial consequences.

After further analysis of the three companies that chose to short-cut the PCI Standard, I started to research the common denominators of each company and the attributes they each possess:

  1. All three companies have had some type of past security breach
  2. All three companies “self-attest” under the PCI ISA program
  3. All three companies have had a lot of controversial coverage in the media
  4. All three companies are considered the best in their industry
  5. All three companies have had some type of fraud at the executive level as shown in past media reports
  6. All three companies were using the same Fortune 500 Outsourced Data Center Service Provider (directly and indirectly)

When companies are “faking” their PCI compliance status, it is not only fraudulent activity and a breach of contract with the acquiring banks and payment brands; it is also a breach of customer trust. When employees actively engage in “faking” their companies PCI Status, often it is because of a company culture of leveraging “managerial convenience” over safeguarding credit card data. The top executives of any firm set the tone for the company and contribute heavily to corporate culture. When the behavior by the top includes past fraud among its executive ranks, it permeates down to the rank and file employees as acceptable behavior. Unfortunately, the consumers are the ones who lose in the long-run, because they are the ones at risk. In addition, this is greater risk exposure to the payment brands that have to deal with the financial consequences of potential fraud at a time when swipe fees are at the forefront of controversy.

Over the years, I have met many CIOs and CTOs that have compared the PCI standard and measure their competition or past companies they have worked for and firmly state “they are not PCI compliant, and why is our company being held to a higher standard?” The answer is simple. The PCI Standard is the same for every company and the competing company chooses to operate below the PCI Standard and put their customers at risk. At some point though, the probability of a security breach increases as each year that passes by.

While these three companies may think they are prospering by underscoring their PCI compliance status, they are hurting consumers. The Federal Trade Commission (FTC) will take notice when consumers are at risk of harm. In a past ruling, Dave & Buster’s settled charges that required the company to obtain independent professional audits every other year for 10 years and FTC compliance monitoring on top of annual PCI assessments. This summer, the FTC filed a suit against Wyndham Hotels for three security breaches in less than two years. While no ruling has been made, this will cost Wyndham Hotels thousands of dollars to defend against the suit and it is uncertain if the hotel chain will face steep fines and penalties from the FTC.

While it is easy to criticize these three past companies that I have worked with as a sub-contractor, again I have to ask myself am I culpable. I do accept fault for failing to convince these large companies to do the right thing, but I fell on my sword trying to convince the companies to maintain integrity in the process. Truth be told, there is a sense of failure no matter how hard you try to do the right thing and failure will always cost everyone in the process. I have addressed how it costs consumers, and how it often affects the company engaging in the behavior, but it costs others as well. Often times it costs the consultant their job and then it begins to impact the credibility of the PCI standard itself. In the long run, faking PCI compliance erodes the PCI standard that was put into place to protect consumers, companies, and individuals. Undermining it is no different than allowing a child to cheat their way through every test so they can get that college scholarship – it contributes to a culture of fraud. Let’s say the cheating student does get that scholarship. Because they have cheated on every test, they have to continue to do so first because they lack the basic knowledge of their non-cheating counterparts, but also because they lack the study habits and mental focus they should have acquired in school. They couldn’t stop cheating now if they wanted to: it’s too late. They will cheat until the professor catches them. Once caught, they are stripped of their scholarship and their academic and personal record is tarnished forever. The situation is the same with corporate fraud: while faking compliance may save money in the short-term, the longer the fraud is practiced, the more painful it will be for them to ever gain true PCI compliance. While it may take more time to study to pass the test fairly and it may take more money to gain compliance, like many things in life, the payoff will be well worth it!

References

1. Dave & Buster’s Settles FTC Charges it Failed to Protect Consumers’ Information-March 25, 2010

2. FTC Files Complaint Against Wyndham Hotels For Failure to Protect Consumers’ PersonalInformation-June 26, 2012

About the Author

toddbell - The High Price of “Faking” Your PCI Compliance Status
Todd Bell

Todd Bell is a revered subject matter expert in the field of IT Security that has made significant and transparent impacts that protect businesses and consumers alike. His impact is evident in the daily lives of people across the world by protecting their most secure information behind the scenes. Consumers who have traveled by land, sea, or air, used a credit card to purchase goods and services, used kiosks or global payment systems, utilized smart phone technology, purchased gift cards, received pharmaceutical information, provided patient data, gambled on-line, banked with major institutions, or provided financial information for lending, there is a significant chance that Bell may have had an impact with the protection of their data.

Bell’s track record keeps him in high demand. Since he took his first CISO position seven years ago he currently works as a Strategic Security Advisor for global institutions and as an Outsourced CISO. His Fortune 500 clients have never had a security breach as a result of his attention to detail, knowing the tough questions to ask, using investigative methods to get proper infrastructure facts, identifying enterprise weaknesses, and utilizing a natural instinct to understand the entire enterprise from top to bottom understanding that securing sensitive data impacts every department. Bell credits his success to the premise that trust & credibility must be established with other executives through accountability and being culturally sensitive to business members across the globe. Bell has managed to overcome time constraints and language barriers while staying focused on business objectives that have earned him “trusted advisor” status with clients as evidenced by his LinkedIn referrals profile.

COMPANY INFORMATION

EC-Council
https://eccouncil.org