Every transaction system used by a North American business that use credit cards has to follow the Payment Card Industry’s standards. But against the background of continuing breaches at retailers the PCI’s latest version, released last fall, was panned by experts at a Toronto security conference.
“I expected a lot more,” said Gregory T. McClean, information security officer for North America and Asia at bulk packaging manufacturer Transcom International told the SC Congress conference in Toronto on Tuesday. “When 3.0 (of the Data Security Standard and Payment Application Data Security Standard) came out I was extremely disappointed.” McLean noted that of almost 100 changes in the new version, only 17 could be called actual requirements. “I read PCI 3.0 as a guideline rather than a standard,” he said.
McLean used the example of authentication as one case where stronger language is needed – and the lesson could be applied to IT security anywhere. “There’s more of an encouragement here to use strong passwords – and people need to use good passwords – but PCI isn’t saying so definitively,” he said. Mclean called the authentication elements in PCI “a step in the right direction,” but said they could have been made stronger.
Asked about the state of security collaboration after the session, McLean told IT World Canada that he’s frustrated by the lack of communication between security professionals. “The black hats share information with each other all the time, any time,” he said. “But the white hats- the good guys – we just don’t share data and help each other out the same way.”
Omkhar Arasaratnam, chief security architect for TD Bank Group, also viewed the new 3.0 PCI standard as falling short on specific and strict requirements. “What strikes me about PCI – anywhere from 1.0 through to 3.0 – isn’t that there are any egregiously difficult requirements. If you look at this as a technical security person, it’s all common sense. What continues to get me is the PF Changs, the Macy’s, the targeted breaches that are just simply poor security.”
Arasaratnam contrasted the lack of rigour in PCI 3.0 to the Sarbanes-Oxley legislation in the U.S., which does include strong penalties for non-compliance. “Getting hit with non-compliance with Sarbanes-Oxley comes with real penalties, ones that can directly hit the bottom line by scaring off investors. That has teeth in it,” Arasaratnam said. “People may point to the fact that the Target CEO left his position after the company were breached, but that was tangential at best.”
Later in the day a three-person panel discussed what the panelists felt were the top three current security threats. Panelist Phil Umrysh, who is director of information security and compliance for Loyalty Group, which offers the Air Miles reward program, told IT World Canada that in his view the top three security challenges are “shadow IT,” third-party access to data and the IT environment, and endpoint security – especially when it comes to mobile devices.
“‘Shadow IT’ refers to users using cloud services – SaaS stuff where people send data to a service like DropBox and your DLP software shows that data being moved there,” Umrysh said. “There’s something like 15,000 different cloud service providers out there. How do you even stay in control of all that?”
The problem is compounded by the reluctance of cloud service providers to disclose to their own customers what they’re doing about security, Umrysh said. “We have a vendor questionnaire that asks about what the vendor is doing about security. Amazon just won’t provide the information. To me that amounts to a security problem, and we just won’t entrust anything sensitive to a cloud provider that won’t tell us what their security is. We might do small pilot tests with unimportant data but that’s it.”
The problem is compounded by the refusal of many cloud service providers to allow customers to encrypt their own data, Umrysh says. “That’s a real warning sign. You just can’t afford to trust a provider who not only won’t tell you about their security, but also won’t let you use your own encryption.”
Umyrsh believes that the time is ripe for a change in attitude, but, as with so much in security, it may not come in a positive way. “I think the first major breach in a cloud environment will be monumental,” he said. “It’ll go prime time. But I don’t want to be that first guy. We need to do a better job together on security as cloud customers. Why are we allowing a cloud provider to say they won’t tell us about their security – and after that, that we can’t use our own encryption?”
In a session titled “InfoSec Impact on Enterprise Strategic Goals,” Jamie Rees, director of information assurance and CISO for the province of New Brunswick described how his team ensures data security and privacy for the provincial government’s IT back-end, even during major transitions and upgrades.
As you might expect, the process is complex, with a host of variables and potential threats to the security of sensitive information. But Rees maintained that a big part of the job is a question of maintaining and building networks of mutually supporting relationships with other people in other departments within the bureaucracy. Sometimes that means overcoming the resistance of some colleagues who see the security function as essentially a matter of turning down their requests and making their lives harder – a perception echoed in other presentations.
“They have a whole lot more stuff going on than just IT security,” he said. “But I’ve taken a kind of ‘fake it until you make it’ theme – I decided I’m going to just keep showing up. Otherwise it’s just the security guys. I don’t ask – I tell them I’m coming and I work with them.”
The conference continues Wednesday.