Chapter 14. PCI and Other Laws, Mandates, and Frameworks
Take a look at the information security and compliance landscape. Do you think Payment Card Industry (PCI) is the worst thing out there? It's not. If you don't believe that, rope in your legal team and ask them which of these information security regulations or laws stand to damage a company the most. In this chapter, we want to expand upon the idea that there is an overlap between security standards and laws – an idea introduced in Chapter 10, “Managing a PCI DSS Project to Achieve Compliance.” In reality, most laws and regulations that deal with protecting information are closely tied back to good information security practices (notice the term was good, not best). As a company, if you focus on information security instead of compliance, your long-term costs are dramatically lower.
In this chapter, we will learn how PCI augments and supplements many of the other compliance initiatives that companies must address. Arguably, this section is quite U.S. centric, but our coverage of PCI as it relates to ISO 27000 is meant to take a more global approach without getting into every country's specific legislation – that's what your legal team does. Arguably, for those countries or municipalities that have data breach notification laws, you will see a corollary between your particular situation and the PCI and State Data Breach Notification Laws section in this chapter. In the Regulation Matrix section at the end of this chapter, we will provide a small compliance matrix that will compare (at a high level) PCI to the other regulations we cover to illustrate the amazing amount of overlap that exists.
PCI and State Data Breach Notification Laws
According to the National Conference of State Legislatures (www.ncsl.org), “forty-five states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information”[1]. That's right, only five states (Alabama, Kentucky, Mississippi, New Mexico, and South Dakota) have not enacted laws that fall into this class, but rest assured, they most likely will. These laws are primarily used as a vehicle to prosecute companies that are irresponsible with their residents' data. In most cases, the laws do not limit themselves to companies that have physical locations in their state, but instead focus on the resident. In other words, if you do not have a store in Montana, but someone from Montana does business with you and you lose their information, you are required to follow the process in their law (Mont. Code Section 30-14-1701 et seq., 2009 H.B. 155, Chapter 163). Neither author is a lawyer, so understand that you should perform a formal risk analysis (if you have not already) on these laws to understand what your liability is, and where they fall.
Dealing with this many institutions seems like a horrible prospect, especially if you ever spend time reading any of these regulations – they are an insomniac's saving grace! But there are some commonalities that most of the regulations share that are relevant for comparison with PCI.
Origins of State Data Breach Notification Laws
Most of the laws you see enacted today can point back to the infamous California Senate Bill 1386 (SB 1386) for their origins. SB 1386 became effective on July 1, 2003, and contained revolutionary legislation that helped to shape how companies globally dealt with information security breaches.
Before laws like SB 1386, data breaches were typically swept under the carpet and only those very close to the matter even knew something occurred. Your sensitive data was in the hands of a bad guy, and you never had a chance to defend against it because you didn't know a breach occurred! The only way you would know is if you decided to go finance a new car or home, and the finance people had the “sit-down” meeting where nothing good happens. Did you know that you owed $50K on another car in another state?
Identity theft is much more dangerous for individuals than a credit card breach. If your credit card is stolen, as long as you are on top of your finances and validate every transaction on your statement (i.e., catch it early), you will probably have no financial liability. If you wait, things may be different. But if someone opens a line of credit under your name with stolen information, it could take years to clear your name and restore your credit. SB 1386 was the first of many that intended to protect residents against this kind of identity theft going unnoticed.
Commonalities Among State Data Breach Laws
So with 48 (potentially) different laws that you have to deal with, what are some of the commonalities that you can leverage? How about we start with something that is typically not included in all of these laws?
Most of the laws apply to electronic or computerized data, and do not apply to paper records. An example where a case was thrown out because of this technicality is a case from early 2009, Pinero v. Jackson Hewitt Tax Service Inc. In this case, the plaintiff's claim was rejected because the data loss (or mishandling) in question was hard copy, paper-based data, not electronic data. Only lawyers and legislators may know why the laws were written this way, but most likely it is because the largest data breaches in the last several years have been computer or electronic based. Dumpster diving still happens, but the mount of data that you can reach via networks and computers far exceeds what might be thrown out with yesterday's lunch in a smelly dumpster. Why get dirty when you can obtain more data in your pajamas while being serenaded by reruns of your favorite sitcom?
Not all states are like this, however. California's SB 1386 and Alaska's legislation specifically protects all personal information, sometimes called personally identifiable information (PII), regardless of the media on which it is stored.
This brings us to the next “UN” commonality, what defines PII? This is a painful question whose answer varies slightly among all the different pieces of legislation by which you may be required to comply. All the different permutations are far outside the scope of this book, but it's a great example of when it's appropriate to bring in your legal team. Make sure that they pay close attention to what kind of data could become PII just based on what is stored near or around it! As an example, look at the scoping section of PCI DSS. If you store the expiration date of a credit card by itself, it is not considered cardholder data. But if you store it “near” the actual card number, it is considered cardholder data, and subject to the same requirements as the card number itself. Once you complete this process, you will realize how scary of a picture this legislation paints, and will take a hard look at the data you do store about your consumers, and the need to store it and ways to protect what you do store.
One commonality shared among several of the states is an “escape hatch” for encrypted data that is lost. Many states say that you do not have to go through the notification process if the only data that was lost was encrypted data. This is another nuance that your legal team should consider, as many states and some of the Federal Banking Inter-Agency Guidance do not make that distinction. They consider an encrypted tape the same as they would an unencrypted USB drive, and require notification per their guidelines.
The final commonality that varies between states is the time you have to notify and method by which you must do it. Each state approaches this slightly differently, including some that have an allowance for working with law enforcement before a notification is made, and others that put a specific time limit (usually somewhere in the 30-day range if it is spelled out) by which you must notify consumers. The notification in most cases must be something prominent, and potentially to include multiple communication methods, from posting a bulletin on your Web site, to taking out ad space in a media outlet, to issuing a press release. Again, unfortunately, you will not save on legal fees by reading this book. The best advice you will get is to closely involve your legal team when planning your data breach notification strategy.
How Does It Compare to PCI?
With the commonalities we mentioned earlier, there are several ways that PCI and State Data Breach Notification Laws compliment each other. Looking at the types of media covered, PCI DSS covers all types of media (paper and electronic) as do some states and the U.S. Federal Government. From a notification perspective, you may not be required to notify individual cardholders under PCI DSS, but you are required to have an incident response plan (Requirement 12.9) and notify your acquirers, card brands, and potentially law enforcement, depending on the situation. This means that your Public Relations department is probably already involved, so extending a message to consumers is just one step farther than you have to go for PCI DSS.
PCI DSS can have an “escape hatch” if you were found to be compliant at the time of the breach. So far, the card brands maintain that no company was compliant at the time of their breach. Industry pundits argue both sides of the issue, but in reality, companies that are breached are usually doing something dangerous (or not doing something security-critical) that leads to that occurring. Since PCI DSS is so wide and sweeping, it's not a far leap to assume that the holes that attackers squeeze through (or in some cases drive through) are in fact addressed by some part of PCI DSS. At the very least, PCI DSS evolves to cover modern attack methods as well as modern security technologies; if a breach happens through a method not even remotely covered by PCI DSS, it is highly likely that the next edition of the standard will include a new safeguard or control addressing that vulnerability.
Note
PCI DSS changes every 2 years as part of a process you can read about on the PCI Security Standards Council Web site (www.pcisecuritystandards.org), which is really, really slow compared to how the operation of the criminal hacker community changes. Focusing on security and not on checkboxes is what will save the day.
Final Thoughts on State Laws
One thing left out of this book is the numerous state laws that introduce fines and penalties for poor security practices. As of this writing, Minnesota's Plastic Card Security Act, Nevada's new “PCI Law” (which amends NRS 603A), and the new Massachusetts Data Breach Law (Mass. Gen. Laws Ch. 93H) are the first in a growing trend of states providing criminal liability and remedies for the inevitable victims from a data breach. These laws typically lay out a similar set of controls to the high level components of PCI DSS or ISO27002, but leave much to the interpretation and implementation of programs designed to address these laws. Nevada's is the first to specifically call out required compliance to PCI DSS, and actually provides a Safe Harbor exception if you are compromised, but found to be compliant at the time of the breach. Unless Federal legislation is drafted in the near future, expect the confusing and frustrating landscape of state-based data breach legislation to continue, and to be tested in the court system.
PCI and The ISO27000 Series
As of this writing, the ISO27000 series (www.27000.org) are devoted to Information Security. For those of you who are not new to Information Security, you may remember BS7799 or ISO17799 as security framework standards that you may have assessed against. Those have been updated and are now part of the ISO27000 series of standards. Those standards are as follows:
■ ISO 27001: Specification for an information security management system.
■ ISO 27002: The 27000 series standard number of what was originally ISO17799.
■ ISO 27003: A new standard intended to offer guidance for the implementation of an IS Management System (ISMS).
■ ISO 27004: A new standard covering information security system management measurement and metrics.
■ ISO 27005: The methodology independent ISO standard for information security risk management.
■ ISO 27006: Guidelines for the accreditation of organizations offering ISMS certification.
More standards and documents are still under development, but for the purposes of this book, we will only focus on ISO27002 which most closely represents commonalities with PCI as an information security framework. According to the framers of PCI DSS, they will informally tell you that ISO17799 was a significant consideration when developing PCI DSS, and in fact, if you review the last iteration of Visa's Cardholder Information Security Program (CISP) you will see an even closer relationship with ISO17799.
At a high level, ISO27002 has 12 domains (PCI DSS has six domains, 12 requirements). Those are as follows:
■ Risk Assessment and Treatment
■ Security Policy
■ Organization of Information Security
■ Asset Management
■ Human Resources Security
■ Physical Security
■ Communications and Ops Management
■ Access Control
■ Information Systems Acquisition, Development, Maintenance
■ Information Security Incident management
■ Business Continuity
■ Compliance
At first glance, you will notice several things that are unique to ISO27002 not included in PCI DSS. ISO27002 is an information security standard and framework, where PCI DSS only concerns itself with one specific type of data, cardholder data. Most experts agree, if you have a mature ISO27002 program, PCI is eezy-cheezy.
Let's take a moment to explore what ISO27002 will give you that PCI DSS will not. ISO27002 details a process for risk assessments, while PCI just requires that they are performed in various parts of the standard. ISO27002 gives much more guidance to Asset Management and Human Resources Security, as well as the Organization of Information Security, Communications and Operations Management, and Information Security Incident Management. In some cases, ISO27002 addresses things you don't see at all in PCI like Business Continuity.
While a deep dive of ISO27002 is outside the scope of this book, security professionals will tell you that a mature ISO27002-based information security program will provide better protection than most of the industry or government regulated standards with which merchants and service providers might need to comply. The mere maturity of the program will provide for an easier path to PCI DSS compliance.
PCI and Sarbanes–Oxley (SOX)
The Sarbanes–Oxley Act of 2002 (SOX) was enacted as a result of the numerous public company accounting scandals of the late 1990s and early 2000s in the United States such as Enron, Tyco International, and Worldcom. Accounting firms defrauded millions of investors, and bankrupted the retirement plans of many employees. These scandals along with the events of September 11 kicked off a market slide and impacted investors globally.
While many IT workers grumble just as loudly when you mention SOX as they do when you mention PCI DSS, SOX is not an IT regulation. In fact, most of the consternation created around SOX comes from one element of Section 404. Although the entire piece of legislation is substantial in size, Section 404 comprises two subsections (a and b) that kicked off this entire frenzy. The two relevant subsections under Section 404a are as follows:
1. state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
2. contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting [2].
Did you realize that it was only these two sections made such a big mess? It's humorous when you think about it. SOX's spending far exceeds that of PCI DSS, yet PCI DSS's requirements take up so much more space than SOX!
Part of the reason for this is that Section 404 does two things that generated a ton of work for large accounting firms. The first part of sub-bullet 1 requires that companies define a control set. PCI DSS does that for you – it's the standard. Where SOX becomes easier to manage from an IT control perspective over PCI DSS is that you are allowed to define your own controls that are sufficient to protect your financial data. PCI DSS does not afford you that luxury. You must comply with their predefined control set. The second part of SOX requires companies to be audited against that control set. That's similar to hiring a Qualified Security Assessor (QSA) to assess and validate your compliance with PCI DSS.
If you are a company subject to SOX, hopefully you are far along in your control framework maturity, and do not have problems passing your audits. If it takes 10 signatures to order a ream of paper, you might have a mature SOX program!
Although the SOX and PCI DSS teams attack different problems, there are things that each can learn from each other. For one, it makes more sense to manage to a common set of company controls, and then map those controls into each standard you might have to follow. For example, if you have password and authentication controls defined, you should be able to map those back into PCI DSS during an assessment of PCI DSS, and if PCI DSS changes, you should be able to go the other direction and make sure your controls are sufficient. Given the choice, most companies would prefer to manage to a common set of controls that address all compliance frameworks versus managing the four to five different compliance frameworks directly. If you can get your company focused on controls instead of requirements, you will have a better chance of maintaining compliance, and spending less with new compliance directives.
Warning
One word of caution for anyone looking to merge PCI DSS and SOX compliance teams. While SOX teams have been managing a compliance program longer than PCI DSS teams have, the requirements and operations to do so are vastly different. SOX teams know the company's control framework; PCI DSS teams tend to focus only on individual gaps from specific requirements. You are better off taking compliance management one level up and have all of the individual teams feed their data into the higher level.
Regulation Matrix
The matrix below (Table 14.1) illustrates some of the overlap and commonalities between PCI and other major compliance or security initiatives. One of three possible entries is listed in each cell. Cells with the term “Yes” in them means that there is a direct correlation, or that most implementations would require a similar control to be put in place. Cells with the marque “?” designate a possible match, but it depends on the implementation or specific control set. Cells with the term “No” in them means there is not a direct match between the initiatives, but depending on other areas (such as a security policy requirement), you may end up with overlap. Instead of comparing the Data Breach Notification Laws, we'll see how the new Massachusetts Data Breach Laws (thought to be the most aggressive today) compare to PCI DSS.
Based on everything we have covered, are you surprised that PCI and ISO27002 are so closely matched? If anything, this graphic could be used as the argument to invest in an ISO27002 program so that you don't have to chase all these individual initiatives!
How Do You Leverage Your Efforts for PCI DSS?
First and foremost, make a partnership with your legal team. Personality issues aside, your legal team should be your best friend during this process as they will be able to help you to lay out all the elements of risk and remedies, so you can justify the quantifiable costs associated with Information Security. Once you have these all laid out for your organization, you will be able to determine what PCI DSS already requires, and address any gaps quickly.
Summary
PCI DSS has much in common with many of the existing security practices or laws and regulations with which your company might have to comply. We explored how PCI DSS shares similarities with State Data Breach Notification Laws, and briefly touched on new data breach related laws that are ever increasing in number and scope. We compared PCI DSS to ISO27002 and showed you how implementing and maturing something like ISO27002 would most likely exceed the base requirements of PCI DSS (and most other compliance initiatives). We discussed SOX, how it came to cause such a big mess, tips to use when dealing with both, and some of the dangers you might run into if you hand your PCI DSS compliance program over to those teams.
Data breaches are not going away, and as long as companies lag in protecting the information of constituents, expect laws to continue to be drafted and the landscape to become more complicated. The best thing you can do is step back and implement a solid information security program, ensuring that your base control set and framework meets the requirements of PCI DSS (and any other initiative you may be facing), and manage to that.
References
[1] National Conference of State Legislators., State Security Breach Notification Laws. (2009);www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/SecurityBreachNotificationLaws/tabid/13489/; [accessed 30.07.09]..
[2] FindLaw.com., HR3763 (2009);http://news.findlaw.com/cnn/docs/gwbush/sarbanesoxley072302.pdf; [accessed 30.07.09]..
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.