August 19, 2016
Bob Russo: Breached!
By D.J. Murphy, Editor-in-Chief, CardNotPresent.com
News of network security breaches large and small continues to emerge seemingly weekly. Kmart and JPMorgan Chase are only the most recent to feel the pain and, if the Department of Homeland Security is right , the news is not going to change any time soon. In the wake of any of these breaches, talk inevitably turns to the state of the affected company’s PCI compliance. Also inevitably, the companies are found to have been PCI compliant at the time of their last assessment, but their compliance did not prevent the intrusion. At times like this, payment industry and security experts talk about how breaches highlight the difference between compliance and security and how PCI compliance alone cannot protect your business. And, these admonitions are not restricted to security vendors trying to sell you a solution. The head of the PCI Security Standards Council agrees with them.
PCI assessments are a snapshot in time, says Bob Russo, general manager of the PCI Security Standards Council since its inception in 2006. PCI compliance is a starting point, not a goal. Constant vigilance after attaining the basic level of security ensured by PCI compliance, he says, is the only way to limit your exposure. In fact, at the most recent CNP Expo, Russo used a very personal story to illustrate his point that “this is really about security. This is not about compliance.”
I’m the perfect example. I think I’m PCI compliant in my life. Really. I live in New York City. In my house I have an alarm system. I have a video surveillance system with a DVR that goes 60 days. I have what’s known as security screen doors. It’s like a jail. It’s decorative, but you need a key to get in and a key to get out. And I have a dog. So I think I’m PCI compliant in my life.
Yet, two years ago, I was robbed.
I get up at 6 a.m. When I’m working I generally work from home. I walk from my bedroom to the next room, which is my office. I sit down at my laptop and check my email. I get up on this particular morning and there’s no laptop. I turn around and the door to go out onto my porch that leads down to the yard is propped wide open by a flower pot. I wipe the sleep from my eyes and realize, ‘Oh my God, I’ve been robbed.’
They got my laptop—thankfully encrypted—they got a GPS, camera, etc. And, to add insult to injury, they put all of the stuff in my PCI backpack and walked out with THAT.
Russo called the police and, while the New York City detectives who responded to the call were impressed by his security measures, they were a bit baffled that those measures didn’t prevent a crime from happening. It didn’t take long, however, to find out.
It was July, but it wasn’t hot enough for air conditioning so I opened the window to my bedroom. When I did that, I had no idea that the alarm for the door that went to the outside from my office was on the same circuit. So the alarm wasn’t on for that door. My wife had gone out into the yard that day through the triple locked screen door. And when I went to bed that night the door was closed. I knew I hadn’t gone out there so I never bothered to check if it was locked.
I have a video surveillance system, but that’s like logging. If you’re not actually looking at it when the guy robs you, you don’t actually know you’re being robbed. So I have beautiful video of this guy leaving my house with my PCI backpack on. And my dog is 15 years old, and she’s deaf.
So, I’m PCI compliant for sure. But I’m not secure. And that’s the issue we’re seeing with these guys.
Russo fully admits that on the day the assessors signed their certifications, companies that subsequently were breached, large and small, were most likely compliant, too. But, like he did, they forgot to check if the door was locked. So, what can a company do? To Russo it comes down to paying attention to the safeguards most companies already have in place, and doing so constantly.
“I know you all just want to buy something that makes this go away,” says Russo. “Unfortunately, it doesn’t exist. It may in the future, but it doesn’t now. So, if you want to accept credit cards, these are the things you have to do to protect your business.”