the high price of faking your pci compliance status

By Todd Bell, C|CISO

EC-Council www.eccouncil.org/ciso

The High Price of “Faking”Your PCI Compliance StatusCyber Security Commentary Paper

Copyright © EC-Council, 2012. All Rights Reserved www.eccouncil.org/ciso

1 ConnectTech, LLC North Colorado Springs, CO USA www.Connect-Tech.biz

The High Price of “Faking” Your PCI Compliance Status

Introduction

During the height of the Colorado Springs fires, in which 346 homes were lost, another fierce fire was

burning at a well-known company that was “faking” its PCI compliance status to its acquiring banks

and the millions of customers they serve. It was appalling to watch employees of this firm, from

Senior Managers to Security Managers to even a Principal Engineer go through spreadsheets and

check off PCI compliance for applications and systems that were not properly validated and did not

meet the PCI Standard. Our job, as sub-contracted consultants, was to review the razor-thin

compliance evidence that was provided by system owners. Most of it was lacking proper screen shots

for validation and was missing evidence to prove security controls were properly implemented. Our

hired team continued to advise this Fortune 500 client that they were operating well below the PCI

Standards, they did not properly understand the PCI Standard beyond just reading the PCI

requirements, and that they did not understand the importance of PCI and the legal ramifications for

failing to implement it. This level of neglect might be expected from an organization that is new to

PCI or doesn’t have an IT focus, but the irony of this whole ordeal lies in the fact that this was a

leading IT security company.

As a leading security company, they wanted to perform a PCI self-attestation so they hired a third-

party consulting firm to advise them on how to properly achieve PCI compliance and to assist in

rebuilding the entire Cyber Security Program. While the third-party company was hired under the

guise of helping the client properly secure their environment, it was nothing like what we expected.

The PCI council forbids QSA’s to engage in fraudulent activity, hence we could not engage in fraud and

deliberately deceiving the acquiring brands and ultimately -- millions of consumers. Unfortunately,

this was not an exception and I have experienced similar situations three times over the past five

years. Before this, I had experienced the same situation with a prominent Fortune 500 Company that

had employees from one of the recently failed mortgage banks misleading the CISO and downplaying

serious security issues. Another example of PCI fraud I have encountered occurred with a well-known

retailer that was more focused on “gaming” the PCI standard than spending the money to fix the

security issues to protect cardholder data.

One may ask why I didn’t report these three companies to the payment brands and the PCI Council,

because aren’t I as culpable as the offender? During my QSA (Qualified Security Assessor) training

over the years, I have learned about some individuals turning in their own clients that have

committed PCI fraud, but it is frowned upon for many reasons. While no QSA company should be

www.Connect-Tech.biz



actively supporting a client that engages in deliberate fraud to deceive the acquiring banks, payment

brands, or its customers. When a company performs either a self-attestation or has a QSA perform

attestation, this is a legal and contractual commitment that has severe financial consequences.

After further analysis of the three companies that chose to short-cut the PCI Standard, I started to

research the common denominators of each company and the attributes they each possess:

1. All three companies have had some type of past security breach

2. All three companies “self-attest” under the PCI ISA program

3. All three companies have had a lot of controversial coverage in the media

4. All three companies are considered the best in their industry

5. All three companies have had some type of fraud at the executive level as shown in past media

reports

6. All three companies were using the same Fortune 500 Outsourced Data Center Service Provider

(directly and indirectly)

When companies are “faking” their PCI compliance status, it is not only fraudulent activity and a

breach of contract with the acquiring banks and payment brands; it is also a breach of customer trust.

When employees actively engage in “faking” their companies PCI Status, often it is because of a

company culture of leveraging “managerial convenience” over safeguarding credit card data. The top

executives of any firm set the tone for the company and contribute heavily to corporate culture.

When the behavior by the top includes past fraud among its executive ranks, it permeates down to

the rank and file employees as acceptable behavior. Unfortunately, the consumers are the ones who

lose in the long-run, because they are the ones at risk. In addition, this is greater risk exposure to the

payment brands that have to deal with the financial consequences of potential fraud at a time when

swipe fees are at the forefront of controversy.

Over the years, I have met many CIOs and CTOs that have compared the PCI standard and measure

their competition or past companies they have worked for and firmly state “they are not PCI

compliant, and why is our company being held to a higher standard?” The answer is simple. The PCI

Standard is the same for every company and the competing company chooses to operate below the

PCI Standard and put their customers at risk. At some point though, the probability of a security

breach increases as each year that passes by.

While these three companies may think they are prospering by underscoring their PCI compliance

status, they are hurting consumers. The Federal Trade Commission (FTC) will take notice when

consumers are at risk of harm. In a past ruling, Dave & Buster’s₁ settled charges that required the




company to obtain independent professional audits every other year for 10 years and FTC compliance

monitoring on top of annual PCI assessments. This summer, the FTC filed a suit against Wyndham

Hotels₂ for three security breaches in less than two years. While no ruling has been made, this will

cost Wyndham Hotels thousands of dollars to defend against the suit and it is uncertain if the hotel

chain will face steep fines and penalties from the FTC.

While it is easy to criticize these three past companies that I have worked with as a sub-contractor,

again I have to ask myself am I culpable. I do accept fault for failing to convince these large

companies to do the right thing, but I fell on my sword trying to convince the companies to maintain

integrity in the process. Truth be told, there is a sense of failure no matter how hard you try to do the

right thing and failure will always cost everyone in the process. I have addressed how it costs

consumers, and how it often affects the company engaging in the behavior, but it costs others as well.

Often times it costs the consultant their job and then it begins to impact the credibility of the PCI

standard itself. In the long run, faking PCI compliance erodes the PCI standard that was put into

place to protect consumers, companies, and individuals. Undermining it is no different than allowing a

child to cheat their way through every test so they can get that college scholarship – it contributes to

a culture of fraud. Let’s say the cheating student does get that scholarship. Because they have

cheated on every test, they have to continue to do so first because they lack the basic knowledge of

their non-cheating counterparts, but also because they lack the study habits and mental focus they

should have acquired in school. They couldn’t stop cheating now if they wanted to: it’s too late. They

will cheat until the professor catches them. Once caught, they are stripped of their scholarship and

their academic and personal record is tarnished forever. The situation is the same with corporate

fraud: while faking compliance may save money in the short-term, the longer the fraud is practiced,

the more painful it will be for them to ever gain true PCI compliance. While it may take more time to

study to pass the test fairly and it may take more money to gain compliance, like many things in life,

the payoff will be well worth it!

1. Dave & Buster’s Settles FTC Charges it Failed to Protect Consumers’ Information-March 25, 2010

http://www.ftc.gov/opa/2010/03/davebusters.shtm

2. FTC Files Complaint Against Wyndham Hotels For Failure to Protect Consumers’ Personal

Information-June 26, 2012

http://www.ftc.gov/opa/2012/06/wyndham.shtm


http://www.ftc.gov/opa/2010/03/davebusters.shtm

http://www.ftc.gov/opa/2012/06/wyndham.shtm



About the Author

Todd Bell

Global IT Security, Setting Strategy & Building Programs,

Rearchitecture Design

Todd Bell is a revered subject matter expert in the field of IT Security that has made significant and transparent impacts that protect businesses and consumers alike. His impact is evident in the daily lives of people across the world by protecting their most secure information behind the scenes. Consumers who have traveled by land, sea, or air, used a credit card to purchase goods and services, used kiosks or global payment systems, utilized smart phone technology, purchased gift cards, received pharmaceutical information, provided patient data, gambled on-line, banked with major institutions, or provided financial information for lending, there is a significant chance that Bell may have had an impact with the protection of their data.

Bell’s track record keeps him in high demand. Since he took his first CISO position seven years ago he currently works as a Strategic Security Advisor for global institutions and as an Outsourced CISO. His Fortune 500 clients have never had a security breach as a result of his attention to detail, knowing the tough questions to ask, using investigative methods to get proper infrastructure facts, identifying enterprise weaknesses, and utilizing a natural instinct to understand the entire enterprise from top to bottom understanding that securing sensitive data impacts every department. Bell credits his success to the premise that trust & credibility must be established with other executives through accountability and being culturally sensitive to business members across the globe. Bell has managed to overcome time constraints and language barriers while staying focused on business objectives that have earned him “trusted advisor” status with clients as evidenced by his LinkedIn referrals profile.

Building on 15+ years of high-tech/operations experience ranging from Hewlett-Packard to Oracle, Bell has P&L experience with over $48M revenue and leadership responsibility including leading large international IT teams with responsibility in technology development, delivering global business




solutions, business process design, outsourcing, setting strategy, and rearchitecting enterprise infrastructure. In addition, Bell started ConnectTech, LLC (http://www.Connect-Tech.biz) and also works as an Executive IT Security Advisor for the credit card/healthcare industries leading projects ranging from $1M to $30M for a variety of industries. One of Bell’s top projects included finishing a projected $8M project for a Texas Public Utility that came in at $2M, due to Bell’s innovative cost cutting by co-designing a SAP tokenization solution that became a new SAP offering. Bell worked for a private equity firm for the divestiture of an international software and medical company and was accountable for successfully separating both companies and serving as the interim VP of IT leading the project. Bell was previously responsible for the North Americas IT operations functioning as Director of IT for a TBC Corporation subsidiary consisting of 570 locations with shared parallel executive responsibilities and as the CISO for 8 companies consisting of over 2,800 store locations for risk management, securing company-wide infrastructure, corporate governance, developing enterprise policies, security strategy, and accountable for mission-critical 24x7 business operations.

Todd Bell has served as a paid executive officer for two Colorado utility Board of Directors in which he was responsible for the operations of an $8M operation which serviced 5,100+ clients. Bell successfully turned around a utility that was losing money and restored fiscal stability and the utility operated in the black within a year, without rate hikes to clients as the result of business outsourcing and reorganization.

Bell holds an M.B.A. from Regis University in Denver, CO and Bachelor’s degree in Business Information Systems. He received the highest national honor from Regis University for academic achievement and his significant contributions to public service and as a result, was inducted and presented the Medallion of Honor for his accomplishments. In addition, Bell holds a variety of professional certifications consisting of corporate compliance/governance (SOX) from Tulane University Law School, PMP credential from Project Management Institute, IT Security & Compliance (CISSP), PCI Council Certification, and a certified Master Project Manager. Bell is also received the C|CISO Executive Certification as a Chief Information Security Officer from EC Council.

Among his numerous credentials, Bell has received the prestigious HP Customer First Award, WJ Presidents Technology Award, public service awards, and customer awards for providing world-class customer services. Bell is a member of the Worldwide CIO/CISO Executive Council, EC Council, Denver InfraGard, PMI, Payment Card Industry (PCI), and Alpha Sigma Nu.


http://www.connect-tech.biz/

the high price of faking your pci compliance status

Documents