There has been widespread reporting this week of a recent fraud case where fully PCI-DSS Compliant businesses were victim to a huge and repeated breach which allowed the perpetrators to steal 130 million individual records.
Trustwave, a computer security firm, conducted its 2008 audit of Heartland on April 30 and deemed it compliant with Payment Card Industry Data Security Standards (PCI DSS). But shortly thereafter, the intruders began stealing batches of unencrypted card-track data from Heartland’s network, and continued doing so for months before being discovered.
[ http://www.wired.com/threatlevel/2009/08/tjx-hacker-charged-with-heartland/ ]
The fact that some, if not all, of the companies involved in this fraud case were PCI DSS compliant before the attacks sparked questions about efficacy of PCI regulations. Steve Dauber, vice president of marketing at RedSeal, noted that PCI audits are only the beginning.
“PCI is actually a pretty reasonable set of basic security recommendations,” he said. “The problem is that businesses mistake passing a PCI audit with being PCI compliant. Audits aren’t comprehensive by nature— they will never catch every potential error in implementation. More importantly, audits occur at a point in time, but your IT infrastructure changes constantly. So even if you do pass your audit, you may fall out of compliance the next week. If you want to benefit from PCI, you need to maintain compliance both comprehensively and continuously”.
Comprehensively and continuously? That is easier said than done.
I believe there is a bigger and more potentially widespread exposure that needs to be addressed
Let’s assume for a moment that these businesses had successfully secured their networks to prevent the hack in the first place. What about securing the backup strategy relating to this critical data ?
Data backup is one area that has received little or no attention in PC DSS Compliance discussions. In fact even the PCI DSS Compliance checklist makes little or no reference to what backup responsibility businesses have.
Here is the dilemma. A PCI DSS Compliant business must maintain a secure network (Requirement 6). All businesses must implement a robust data backup strategy, which involves geographical separation between production data and backup data. The minute the data is copied onto a tape or disk – which leaves the secure network – it is immediately at greater risk.
I believe that PCI DSS Compliance should add an additional requirement to the existing 12 to ensure businesses have a secure backup routine as well as a secure network.
This would be PCI DSS Compliance Requirement 13. Number 13 – unlucky for some – especially those who are still using unencrypted backup systems to protect their data
Using encryption and online backup would ensure data was protected securely. It is a question of good business practice, not PCI DSS Compliance checklists, that should encourage this safer backup strategy.