Is this going to fly? What are the dangers? Are people properly reporting the risk of accepting the consequences of the paragraph of death?
Lets have a look.
Like most IT shops, there are many shared resources between all branches of the organization. PCI DSS calls for separation of many core services, which will prove very difficult, if not impossible to do. Lets take one example that is applicable to nearly everyone authentication and authorization.
According to the PCI DSS, you have to deploy stateful firewalls and segment off all parts of your network from PCI operations. If youve dealt with Active Directory, you already know that it uses just about every port under the sun to perform its duties. So how in the world do you share your single enterprise authentication system with PCI segments of your network?
The answer, in my experience, is not easily. I have yet to find a large organization that has successfully produced an architecture that meets the PCI DSS and shares a single enterprise-wide authentication system. The exception to this is one place where all they do is PCI related work so the entire network is baselined against the PCI DSS.
I took my question to an ex-high-ranking Microsoft staffer. He too confirmed exactly what I have discovered. Companies wishing to meet the standard per the black and white requirements are going to have to build stovepipes in the organization. In Microsoft speak, this means additional forests in the domain structure, if not separate domains altogether. This is where the costs come rushing in and the game of three card monte begins.
Paying the Piper Anyway
Companies understand that they cannot possibly afford to rip out shared infrastructure. They also understand that PCI fines are expensive.
In walks what I refer to as the Fight Club Calculation. If A + B < C then we pay the fine. In other words, some places have actually decided that they will come as close to compliance as they can and then simply pay the fines should they get visited by an auditor who is especially aggressive with his or her findings.
Simply put, in some cases it is cheaper to pay the fines than to actually achieve compliance. Later we will see just how Visa is dealing with those that are relying on this strategy.
Other companies have justified not meeting each requirement by simply documenting why they must do certain things as part of the core business operations. This goes back to requirement 1.1.7, which requires you to document any risky protocols used in the normal course of your business process.
Once IT staffers document the details, they pass the assessment up to the legal and business departments and ask them to accept the risk. Have the IT people done a disservice to those who are accepting the risk? They certainly have if they didnt advise them of the consequences of the paragraph of death.
The paragraph of death is simply a nice little oh, by the way provided to you by the credit card companies. When there is an incident, everything you do will be examined with the highest degree of scrutiny. And if this isnt bad enough, if you do have an incident you will automatically be treated as a level 1 shop regardless of whether you qualify or not.
Translate that into hard numbers and you can be holding a half million dollar fine should you have an incident at a time when youre not compliant. How many decision makers are aware of this? Not many. How many organizations can afford this kind of penalty? Again, not many.
I recently had a conference call with a world-renowned educational institution. They faced the same issues as all large organizations with a shared infrastructure. After determining that they would bankrupt the 200-year-plus institution if they met the entire standard, they decided to simply document the business processes, document why they do certain things and then simply hand the document up to the legal and business professionals to accept the risk.
When I asked how they presented the paragraph of death to those who are accepting the risk, there was a long period of silence on the other end of the phone. Seems that they overlooked a very important detail.
From Visas website:
If a Visa member fails to immediately notify Visa USA Fraud Control of the suspected or confirmed loss or theft of any Visa transaction information, the member will be subject to a penalty of $100,000 per incident.
Members are subject to fines, up to $500,000 per incident, for any merchant or service provider that is compromised and not compliant at the time of the incident.
If you read the entire process on Visas site, it sounds very close to a tactical military operation if you end up with a breach. I have visions of black Chevy Suburbans screeching up the road and parking on the lawn of the organization. While the image may be somewhat comical, you can be sure that C level folks will not find it the least bit funny if they see the Visa IRT (Incident Response Team) vans sitting on company grounds, especially when the parting gift is a six figure fine.
What makes this paragraph especially scary is that an organizations reaction to a breach may not meet the definition of immediately in the eyes of Visa. Many times when an incident takes place, it takes a large organization quite a bit of time to determine what really happened. Furthermore, when you see the price tag of non-compliance, not many C-level executives are going to be around if an organization is handed a half million-dollar fine should Visa find that the organization was not compliant at the time of the incident.
At the end of the day, security practitioners, lawyers, business managers and anyone else who deals with credit card transactions in the course of operating their businesses need to be aware that PCI is no joke.
Many of us who have set out to meet compliance have learned that the regulation wasnt designed to fit nicely over our existing business processes. In many cases, drastic changes in mindsets, technologies and business processes are going to have to take place.
Otherwise, you will find yourself sitting at the wrong end of the company checkbook when fines are dumped at your doorstep. If you are responsible for accepting that risk in your organization, Id highly advise that you sit down with your legal team and decide what the paragraph of death means to you both professionally and personally from the perspective of liability.
When it comes to PCI fines, in many cases it will be one strike and youre out.