As details filter out about the Home Depot hack (and many, many more data breaches), you can't help but ask: How did this happen -- especially when the company was supposed to adhere to specific safety regulations or else lose its capability to process credit card transactions?
According to The New York Times, Home Depot's flawed security system allowed customer information to be stolen for months, unnoticed. These flaws include using outdated Symantec antivirus software from 2007, not continuously monitoring the network for suspicious behavior, and performing vulnerability scans irregularly and at only a small number of stores.
This shouldn't have happened happen. Home Depot, like any merchant that accepts credit cards, must comply with security standards set by the Payment Card Industry Security Standards Council. Formed in 2006, this group of credit card issuers sets minimum standards for companies that accept credit cards.
"The threat landscape is constantly evolving, and PCI SSC expects security standards to do the same," Stephen W. Orfei, GM of PCI SSC, said in a statement. "Recent attacks are concerning, but we are confident that, in partnership with our community of experts, we are keeping our standards and guidance sharply focused on securing payment card data globally."
PCI Sets 'Baseline' Security Standards
In theory, PCI is good for retailers. Security is expensive, but PCI sets a minimum standard that everyone must adhere to, discouraging competitors from cutting corners to maximize profits.
"PCI standards provide a strong baseline protection and should be part of any risk-based and layered approach to security," Orfei says, adding that version 3.0 of the PCI Data Security Standard addresses "how to make security 'business as usual,' what to consider when working with third parties and how to use layers of defense to protect against malware."
That said, PCI standards aren't perfect against preventing fraud. Mike Lloyd, CTO of RedSeal Networks, a security risk management solutions firm, equates it to signs in bathrooms that tell employees they must wash their hands before returning to work.
"It's not the be all and end all of perfect medical care. Those signs aren't perfect hygiene, but it's setting a basic bar, and if everybody follows that, we're all better off," he says. In the same way, PCI standards set that minimum bar: "They require your competitors to come up to the same base level."
If your competitors follow those minimums, that is. Based on information Vinny Troia has seen about the Home Depot hack, he doesn't think the retailer should have passed its assessment, as the company allegedly wasn't checking its logs daily.
"Any time that data was being collected and siphoned off and sent somewhere else, that would have been captured in the security logs," says Troia, CEO of Night Lion Security, an information security consulting firm. "If you have the equivalent of a leaky faucet, and you're looking at it every day, you're going to notice it. Maybe you look at it once a week. If things get really bad, maybe once a month. But Home Depot dragged it on for five months before they figured it out."
PCI, Auditor and Client Goals Rarely Align
PCI reporting requirements change depending on the size of your business. Smaller companies self-report. Larger companies such as Home Depot must use a third-party entity called a qualified security assessor (QSA) to perform what's essentially a security audit to make sure they comply.
The goals of PCI, retailers and QSAs don't often align, Lloyd points out.
- PCI is meant to protect card issuers and make sure that consumers feel safe enough to keep using credit and debit cards, therefore ensuring card issuers make a profit. That's why they set these standards.
- Retailers want to make as much profit as possible profit by keeping costs as low as possible. Security is expensive, especially for big retail chains, and it's a tempting spot to start cutting corners.
- QSAs, a group that includes big names such as PricewaterhouseCoopers and AT&T Consulting Solutions, also look to make a profit. They do that by performing as many security audits as possible -- and retailers pay for those audits.
Fixing PCI: Automation, Fewer Cozy Relationships, Penalties?
Lloyd points to the relationship between a retailer and QSA as one potential weak point in the system. "Not all QSAs are the same," he says. "They have to compete with each other, too."
It's not uncommon for retailers to shop around for QSAs, he adds. Requiring retailers to hire a different QSA at least once every other year would prevent the relationship from being too cozy.
Orfei says PCI doesn't control or enforce the merchant/QSA relationship, which it sees as similar to any other client/auditor relationship. "Just like other auditors, QSAs have a responsibility to provide an independent third party assessment," he says.
Lloyd also recommends automation. "We're all engaged within this industry and trying to figure out how much of this we can automate, because that's where the profit is," he says. "Take PCI standards and turn them into something a machine can do and try to grab as much automation as we can."
Automation would lower the cost of meeting PCI standards. That, in turn, would increase the odds that companies would follow those standards without cutting corners. Automating the work of the QSAs means that there's less room for human error, too.
Another tactic: Penalize companies that don't comply. "In the case of all these breaches, it hasn't been done once. Transactions are never suspended," Troia says. "My personal opinion is it's the only way someone is really going to get the message."
Orfei says PCI doesn't play a role in managing compliance with its own standards. "PCI SSC is focused on payment security thought leadership including developing technical standards. Incentives or enforcement to comply with PCI Standards is the function of card brands and bank partners."