Do the Payment Card Industry Data Standards Reduce Cybercrime?

Somebody was asking me where to find this, so I will post a quick link to the already old Subcommittee on Emerging Threats, Cybersecurity and Science and Technology

I wouldn't bother watching it, it does not do the serious issue justice when it really needs to be taken seriously.

The amount of Sensitive information being leaked during the time of this hearing, 1,434,434,334 Credit Card Numbers (not a real number). Keep it up, your making such great progress.

What happens when a company gets hacked?

So what exactly happens when a company's website gets hacked. Is there anything setup that actually tries to identify if sensitive information has been obtained? Is there anything setup that helps verify that the company has indeed identified the issue and verified that the vector has been secured. I am going to have to say that for the majority if companies out there, the answer is no. What I have seen from personal experience is that the most important aspect of being hacked as a company, is to get the site back online and do anything necessary to make sure that the trust of the customer has not been lost. Currently, the way that things are setup (such as PCI), most companies do not disclose that they have been compromised, because it will have a serious impact in the trust of their site ultimately ending up with fewer sales.

There is something seriously wrong with this.

There is nothing that really mandates that a company disclose any information to the public or their customer other than individual state laws that have been put in place that most companies don't even know about. Now, I understand that we will always be faced with this issue that we will always have companies that will do anything necessary to not disclose their compromise and we will never be able to fully eliminate this issue.

What I believe that needs to be accomplished, is that PCI sets up a requirement or method that ASV/QSA's must take if a customer informs them that they have been compromised. There must be a standard setup that an ASV/QSA can follow that mandates the company to disclose the issue. It must also be the ASV/QSA's job to work with the company, to assist with identifying the vector that the compromise occurred with, and verifying that the vector has been secured.

If a company is required to disclose a compromise no matter what the size or impact may be, they will be a little more proactive in making sure that their website is secure. I understand that a company must worry about the affect of a disclosure but honestly, they have been compromised, and they should not have a choice. Their customers have the right to know that the site was insecure and that their personal information might have been revealed.

Also going in parallel with the fact that they have been compromised, is the understanding their website was indeed insecure and therefore they should not solely be responsible for mitigating the issue. They should be required to have their ASV/QSA assist them with the compromise and verify that they have indeed resolved all issues of insecurity.

If anyone out there knows the security of their website better than the company itself, I would say that it is their ASV/QSA or the attacker who was able to compromise their site. As an ASV/QSA you are usually able to get an opinion of the companies level or activeness in security by being able to monitor how long it takes them to fix an issue or their overall understanding of security. From this information the ASV/QSA will be able to generate a basic opinion of the companies overall determination to be secure. This can be used to assist the company in making sure that they are conducting the right operations to secure the website and are getting it right the first time. At the same time, the ASV/QSA can assist the company in preparing a public statement that identifies to their customers that they have been compromised. This will also verify that the company does not take the compromise lightly and release a public statement that does not accurately describe the level of compromise.

I want to close by asking, if any of you even know that Visa has a document of "What to do if Compromised" and if you have ever heard of a company ever following the procedure.
http://usa.visa.com/download/merchants/cisp_what_to_do_if_compromised.pdf

Also Check out.
PCIsecuritystandards.org keyword search for "Hacked"
PCIsecuritystandards.org keyword search for "Compromised"
Ill save you the excitement, They return 0 Results

What about these answers from the PCI council

If my business was deemed compliant but my system was still breached and payment account data compromised after the fact, what liability would my business incur?
--The PCI Security Standards Council is not responsible for levying any financial or operational consequences on businesses that have either been breached or are suspected of an account data compromise. These businesses should contact the individual payment brands regarding next steps, such as contacting law enforcement, or obtaining other relevant information, including potential consequences should a compromise have occurred.

Will the PCI Security Standards Council be involved in performing forensics investigations as a result of an account data compromise event?
--The PCI Security Standards Council will not conduct forensics investigations either directly or through a third party in the event of an account compromise.

Who takes PCI seriously?

A good portion of my day consists of consulting for PCI compliance. After consulting with the customer on one issue after the other, you just really start to realize that the customer is not concerned with security what so ever. What they are concerned with, is getting the banks or whoever is auditing them off their back.
Why are the banks on their back? Well it is most likely not for security either. It is likely because they have identified PCI compliance as another revenue generator requesting customers to become complaint or pay a fine ($$), knowing that they will be out of compliance for at least some period of time . The banks are also teaming up with ASV/QSA's creating a partnership with them to basically spit the revenue stating that if you are not PCI compliant, the bank will provide an ASV/QSA for you. Now I am not stating that this is a bad thing because I would like to see companies become PCI compliant by any means necessary. What I am saying is that neither of these cases really have a concern for the actual security of each company.
One of the more difficult issues that I face with dealing with a company that is trying to obtain PCI compliance without a serious concern for security, is that they will do just about anything to obtain compliance. This includes removing devices from their account that are non PCI complaint in order to print a compliant report for the ones that are, without properly identifying the proper scope of network segmentation. Another common issue that I see, is customers providing inaccurate or false statements to verify that a vulnerability as been resolved due to patching or mitigation. More often than not, I see the customer remove the page in question in order to become PCI compliant just so that they can print a compliant report.
Now we do have checks that try to prevent this, but they are all based on the customers word. Now I am just taking a guess here, but if they are going as far as removing devices, pages, or applications temporarily, then they are most likely going to check a couple of check boxes with out even thinking twice about it.

Now what I am about to say is purely my own opinion, but I am sorry, I just don't see it occurring any other way.
Companies like Visa/Mastercard really need to force PCI compliance. The only way I see this as ever being successful, is that your Shopping Cart/Payment Application must be VISA/Mastercard approved.
What do I mean by that? I mean that if you have a shopping cart or payment application, it must go though a Level 1 PCI audit with Code review and be a visa/mastercard approved application.
Why do i believe this? Well, if you are a mom and pa shop, you should not be allowed to have your own custom shopping cart. You are not programming this application with security in mind and most likely it will not be secure. There are so many Visa Approved shopping carts out there that you should be able to find one that accommodates your needs.
If you are a "big time" enterprise company, then you should be able to have the necessary components to program a secure application and you should be able to have the funding to get the necessary Level 1 PCI audit with code review and have it approved by visa/mastercard.

Now i know that by saying this, a lot of security professionals are going to think that this would totally put someone like me out of business. I do not think so. Just because the payment application is secure, does not eliminate the threat. There are still other web application/network vulnerabilities out there. There is still a need to Pen test websites. There is still a need for PCI compliance.

Either way you look at it, something needs to change with the process that we take/store credit card information. If PCI is not going to be the leader in attempting to address this, then who is?