1. Gartner Exceptionalism
Ben Rothke, CISSP, CISA
American exceptionalism, as articulated by Alexis de Tocqueville, notes that the United States is qualitatively different from other developed nations in terms of its national credo and moral responsibilities. While the theory has its critics, its underlying message deserves merit.
Within information technology, I would like to suggest the notion of Gartner exceptionalism. Gartner, Inc. is one of the largest, best known and most powerful information technology research and advisory firms. Its research covers the gamut of IT; its events and conferences are attended by industry elite; its reports are often viewed as gospel. With Gartner’s close relationships with Global 2000 executives, it means that what Gartner says matters and when Gartner speaks, CIOs listen.
But, to paraphrase Stan Lee, “with great power comes great responsibility.” Because Gartner holds such an elevated position, I believe that they have a unique responsibility to be information security’s main advocate. To a significant degree they meet this goal, but every so often they miss the mark. An area where I feel that Gartner’s analysis and commentary does not ring true is in its view of PCI DSS.
Gartner has not stepped up to the plate and taken the lead on the need for PCI. I believe that Gartner has an obligation as a trusted advisor to read their clients the PCI riot act. So far, what I have seen is that while some Gartner reports have touted the merits of PCI, its party line is far too critical of PCI and fails to provide the type of thought leadership needed to bolster support and adoption of PCI DSS standards.
For example, while the essence of its report, PCI Compliance Remains Challenging and Expensive, is true, I believe Gartner needs to reiterate in an equally clear voice that the effects of inaction on payment card processing are markedly more challenging and expensive. The reality is that PCI with its imperfections is all we have, as there is no Plan B in the works. We are 30 years into the computer revolution and companies are addicted to computer insecurity.
History tells that for the most part, companies will only start taking things seriously when they start to be regulated and when it is seen that those regulations have real consequences. We have myriad best practices and a corresponding number of security incidents and breaches. PCI is a standard and people still aren’t taking it seriously. People only take things seriously when there are consequences to their inactions or failures. That’s where the trouble lies.
Notice the comment from a Gartner analyst which state that “billions are being spent on PCI compliance, but it isn't really working” and “PCI’s dirty little secret is that it doesn't mandate
2. encryption inside a private network because then all the processors would have to encrypt.” Gartner’s exceptional status should require them to be prescriptive in their criticism rather than just critical.
While I am not sure if billions have been spent on PCI compliance, it is far too premature to say that PCI is not working. Any sort of compliance takes time and with PCI only in version 2.0, we shouldn’t expect at this early point that PCI is able to fix decades of poor business security practices on its own.
As to PCI’s dirty little secret, there is no secret. Every security professional would be enamored if we could mandate encryption inside a private network, for both data in motion and at rest. But such an onerous requirement would likely cause the industry to categorically reject PCI DSS. The reality is that PCI is pragmatic about the risks, about what it requires, and what it can’t expect.
While I am quite fond of PCI, I am not so naïve to think that it is the end-all. PCI is far from perfect, but in 2011, it is the only thing we have, with no other similar & reasonable regulation or standard on the horizon.
Finally, regulations should also not been seen as a panacea. But for those areas where self- regulation has failed, regulation is what naturally follows.
In PCI Quality Assurance Program Does Not Go Far Enough, Gartner opines that the PCI does nothing to address the industry’s most serious compliance problem: the conflict of interest inherent in assessors’ also performing remediation. To think that is the most serious compliance problem shows a lack of the depth of the security issue, in my opinion.
Personally, I think the industry’s most serious compliance problem is its indifference to security. Hundreds of millions of records being breached does not happen by accident. While the PCI tier-1 merchants have done a fine job of getting up to PCI compliance, there are millions of smaller merchants (PCI tiers 3-4) with serious security and privacy issues that still are out of compliance. How could Gartner ignore that fact?
In a conversation with a Gartner analyst, I was told that they form their opinions from speaking with their clients. Yes, clients should be miffed if their PCI assessors are pushing their own products. On the other side, Gartner does not seem to have adequate dialogues with the practitioners in their field. The real solution would be for Gartner to present both sides of the story and to examine the fact that so many customers see security as a check box, not as a process.
3. Gartner needs to go on record that PCI is categorically the best thing for the industry. They can, and should, also go on record detailing where PCI needs to be improved. Gartner should explain to their clients that this is no longer their mother’s network. A basic iPod has enough storage to quickly download nearly every bit of merchant data for most vendors. Gartner must use its influence to let its clients know that everything in PCI DSS is relevant and that it expresses security fundamentals. Gartner needs to let their clients know that they are but a breach away from a lawsuit; and one of the best ways to ensure their security and solvency is via PCI.
A Gartner analyst told me that what is needed is the complete overhaul of the payment industry, mainly via the use of end-to-end encryption. Such an approach would do more than PCI. Such end-to-end encryption would indeed be wonderful and to a degree is happening. But from a practical perspective, such a complete overhaul is at least a decade away.
As recently as August, Gartner wrote in Long-Awaited PCI Changes Don't Seem to Go Far Enough that draft changes for version 2 of the Payment Card Industry Data Security Standard leave some pressing issues unaddressed.
While Gartner is correct that uncertainty about these areas has left PCI qualified security assessors (QSA) to make their own interpretations of the regulation, creating confusion for their customers; right or wrong, this is no different than what we had with Sarbanes-Oxley.
The difference though is that the PCI Council has created special technical interest groups (SIG) to assist them in addressing these issues. This includes work to understand the linkage between PCI compliance requirements and implementations of alternative technologies, including chip cards (as opposed to magnetic stripe cards), tokenization and point-to-point (or "end to-end") encryption, and how these implementations can potentially limit the scope and requirements of PCI audits.
Gartner noted that they expect the SIGs to report their findings by the end of 2010 (which they did not), but that they will still only offer guidance rather than clear-cut requirements - arguably unavoidably, since there are still no industry standards for tokenization or point-to-point encryption.
If Gartner is serious about having PCI gain real teeth, perhaps they should suggest that the National Cyber Security Center (NCSC) be given the same regulatory authority as the FAA. The FAA can (and has) grounded entire aviation companies due to non-compliance with the minutiae of an airworthiness directive. With that, the NCSC should surely be able to make companies such as Heartland and TJ Maxx stop all credit/debit card processing until they are security compliant.
4. I would love to see the NCSC be given such powers. My estimate though is that the outcome would be the closing of at least a third of the retails stores in the US, given their poor information security practices and PCI compliance issues.
No one is expecting Gartner to advocate PCI as a perfect panacea. PCI is not perfect, because PCI can’t be perfect. It is ridiculous to think that a standard or regulation can be created that is both relevant and acceptable to every company in every industry. Gartner notes this in their report, PCI Security Standard Update Does Not Meet Merchants' Needs. Notwithstanding, the benefits of PCI far outweigh its shortfalls. Do Gartner clients know this?
Gartner is indeed a leader in IT, but with PCI, they are stepping away from their responsibilities as an industry leader, and we all suffer for that choice. When Gartner analysts decide to confront the reality of PCI, rather than assemble a wish list which does not advance the cause of merchant security, they will clearly show what an exceptional firm they truly are.
Ben Rothke CISSP, CISA is a Security Consultant with firm and the author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill).