Page 28 - GS131001
P. 28
Views
Does checkbox PCI move further from the baseline security practices outlined
in the PCI DSS. Hackers and data thieves utilize automated
compliance leave tools to seek and exploit the security holes these businesses
typically leave behind.
MSPs exposed? The situations leading to checkbox compliance are
numerous. In some cases, it results when confusion exists
regarding which SAQ form to choose, or when merchants
By Chris Bucolo default to answering "yes" because they don't understand
the intent or direction of the questions being asked. When
ControlScan Inc. an outside party completes all or part of the SAQ for a
t the conclusion of a recent court case involving merchant, but has insufficient knowledge of the merchant's
an Internet retailer's cardholder data breach, the payment infrastructure to provide accurate responses,
financial losses – including legal and forensic checkbox compliance is also said to have occurred.
A fees, card brand fines, and cardholder losses
– totaled more than $500,000. Surprisingly, an ISO and a In its 2012 Data Breach Investigations Report, Verizon Wireless
third-party information technology (IT) company, not the noted that 96 percent of breach victims it studied were not
merchant, were found liable in the settlement. The ruling: PCI compliant and that noncompliance served as a "major
negligence and breach of contract. factor" in compromise events. In addition, Verizon reported
that "most breaches were avoidable … without difficult or
This case concerned "checkbox compliance" in completing expensive countermeasures." Knowing this, it's easy to
the Payment Card Industry (PCI) Self-Assessment see why checkbox compliance does nothing but disable
Questionnaire (SAQ). The merchant presented evidence merchants' defenses and enable data thieves' entry.
that the ISO it engaged served as the merchant's adviser
for the SAQ process and that the ISO had incorrectly pre- When MSPs ensure that merchants within their portfolios
populated SAQ items. dedicate the appropriate time and resources to properly
completing the SAQ, the instances of PCI noncompliance
Furthermore, the third-party IT company had also supplied decrease; consequently, so does the risk of data breaches.
erroneous responses for other segments of the SAQ. The
flawed SAQ, which stated that controls were in place when Populating the SAQ with accurate information also provides
they were not, led to a breach of data from nearly 25,000 documentary evidence of the merchant's commitment to
payment cards. the PCI process. Conversely, if merchants choose to rush
completion, or half-heartedly address the SAQ, that, too,
Unfortunately, such court cases and outcomes are fairly will document the nature of their involvement, which may
common. Pressure to quickly complete (and pass) the SAQ prove important in the event of a breach and subsequent
process can lead ISOs, acquirers and other merchant service legal proceedings.
providers (MSPs) – and their merchant customers – to take Shifting blame to MSPs
shortcuts that expose everyone involved to the risk of
undiscovered, unmitigated security flaws that data thieves Regardless of who is involved in SAQ compilation,
are adept at exploiting. merchants and their MSPs are jointly responsible for
ensuring that questionnaires are completed accurately and
Making it simple for data thieves that system and process updates are performed as dictated.
It's easy to see why merchants dread the PCI SAQ. With If merchants fail to live up to their end of the bargain, fair
pages of questions on a complex and unfamiliar topic, it or not, their MSPs may be held fully responsible for any
is very tempting to simply "check the box" and move on. breach-related losses.
ControlScan's annual study of small merchants' payment
security awareness shows that businesses have a history of In another case, a Level 4 restaurant merchant sued
relying upon their service providers for help in attaining its payment processor and POS systems integrator for
PCI Data Security Standard (DSS) compliance. negligence, claiming the restaurant was an unwitting
victim of checkbox compliance that led to a breach of just
And MSPs want to assist by guiding their merchant under 35,000 credit card numbers. The business completed
customers through the arduous SAQ process. A speedy PCI an SAQ D in both 2007 and 2008 as "compliant," yet it had
compliance validation process builds relationship value numerous undetected PCI violations, including unsecured
between the MSP and merchant, because related hassles remote access, default passwords and an unprotected
and fees are reduced. legacy system left in operation during, as well as following,
the implementation of a new POS system.
Checkbox compliance, however, is a short-term solution
that can create serious long-term problems. With each What went wrong? First, the systems integrator that had
consecutive instance of checkbox compliance, merchants recently installed the restaurant's new POS system provided
28
Does checkbox PCI move further from the baseline security practices outlined
in the PCI DSS. Hackers and data thieves utilize automated
compliance leave tools to seek and exploit the security holes these businesses
typically leave behind.
MSPs exposed? The situations leading to checkbox compliance are
numerous. In some cases, it results when confusion exists
regarding which SAQ form to choose, or when merchants
By Chris Bucolo default to answering "yes" because they don't understand
the intent or direction of the questions being asked. When
ControlScan Inc. an outside party completes all or part of the SAQ for a
t the conclusion of a recent court case involving merchant, but has insufficient knowledge of the merchant's
an Internet retailer's cardholder data breach, the payment infrastructure to provide accurate responses,
financial losses – including legal and forensic checkbox compliance is also said to have occurred.
A fees, card brand fines, and cardholder losses
– totaled more than $500,000. Surprisingly, an ISO and a In its 2012 Data Breach Investigations Report, Verizon Wireless
third-party information technology (IT) company, not the noted that 96 percent of breach victims it studied were not
merchant, were found liable in the settlement. The ruling: PCI compliant and that noncompliance served as a "major
negligence and breach of contract. factor" in compromise events. In addition, Verizon reported
that "most breaches were avoidable … without difficult or
This case concerned "checkbox compliance" in completing expensive countermeasures." Knowing this, it's easy to
the Payment Card Industry (PCI) Self-Assessment see why checkbox compliance does nothing but disable
Questionnaire (SAQ). The merchant presented evidence merchants' defenses and enable data thieves' entry.
that the ISO it engaged served as the merchant's adviser
for the SAQ process and that the ISO had incorrectly pre- When MSPs ensure that merchants within their portfolios
populated SAQ items. dedicate the appropriate time and resources to properly
completing the SAQ, the instances of PCI noncompliance
Furthermore, the third-party IT company had also supplied decrease; consequently, so does the risk of data breaches.
erroneous responses for other segments of the SAQ. The
flawed SAQ, which stated that controls were in place when Populating the SAQ with accurate information also provides
they were not, led to a breach of data from nearly 25,000 documentary evidence of the merchant's commitment to
payment cards. the PCI process. Conversely, if merchants choose to rush
completion, or half-heartedly address the SAQ, that, too,
Unfortunately, such court cases and outcomes are fairly will document the nature of their involvement, which may
common. Pressure to quickly complete (and pass) the SAQ prove important in the event of a breach and subsequent
process can lead ISOs, acquirers and other merchant service legal proceedings.
providers (MSPs) – and their merchant customers – to take Shifting blame to MSPs
shortcuts that expose everyone involved to the risk of
undiscovered, unmitigated security flaws that data thieves Regardless of who is involved in SAQ compilation,
are adept at exploiting. merchants and their MSPs are jointly responsible for
ensuring that questionnaires are completed accurately and
Making it simple for data thieves that system and process updates are performed as dictated.
It's easy to see why merchants dread the PCI SAQ. With If merchants fail to live up to their end of the bargain, fair
pages of questions on a complex and unfamiliar topic, it or not, their MSPs may be held fully responsible for any
is very tempting to simply "check the box" and move on. breach-related losses.
ControlScan's annual study of small merchants' payment
security awareness shows that businesses have a history of In another case, a Level 4 restaurant merchant sued
relying upon their service providers for help in attaining its payment processor and POS systems integrator for
PCI Data Security Standard (DSS) compliance. negligence, claiming the restaurant was an unwitting
victim of checkbox compliance that led to a breach of just
And MSPs want to assist by guiding their merchant under 35,000 credit card numbers. The business completed
customers through the arduous SAQ process. A speedy PCI an SAQ D in both 2007 and 2008 as "compliant," yet it had
compliance validation process builds relationship value numerous undetected PCI violations, including unsecured
between the MSP and merchant, because related hassles remote access, default passwords and an unprotected
and fees are reduced. legacy system left in operation during, as well as following,
the implementation of a new POS system.
Checkbox compliance, however, is a short-term solution
that can create serious long-term problems. With each What went wrong? First, the systems integrator that had
consecutive instance of checkbox compliance, merchants recently installed the restaurant's new POS system provided
28
