Data Breaches and the Problem with Audits

Today, in a report by Wired Magazine, it was revealed that Savvis Inc- the company which performed audits for CardSystems during 2004 when they experienced one of the largest credit card data breaches for it’s time- is being “pulled into court in a novel suit that legal experts say could force increased scrutiny on largely self-regulated credit card security practices.”

Savvis is accused of certifying that payment systems were compliant with security standards, when they were not. Due to the recent rash of breaches by companies that were supposedly compliant with payment industry security standards, PCI Council said last year that it was tightening its oversight of auditors.

These auditors are in charge of ensuring that a company’s methods of processing payments and transmitting information are up to industry standards. However- Heartland Payment Systems and RBS WorldPay, two processors that recently experienced large breaches, were certified compliant before they were breached. I see many problems associated with this audit system as it stands today, highlighted in part by the article:

• Listing standards to become complaint is poor security practice. Good information security comes from adapting, expecting and meeting new threats. By the time new standards are drafted and approved as part of compliance, the threats may have already done damage.
• 3 people on full time staff are in charge of the auditor certification program. How much are these auditors scrutinized?
• Difficulty understanding complex standards creates difficulties for organizations desiring to install or update components to their systems
• 80 percent of the audits in the payment industry are conducted by a dozen major vendors. As the article pointed out, “the rules and requirements for auditors reveal a number of potential conflicts of interest (.pdf) that could arise between an auditor and the entity it’s assessing. For example, many security auditors also make security products. The rules state that a security company will not use its status as auditor to market its products to companies it audits, but if the auditor should happen to find that the client would benefit from its product, it must also tell the client about competing products.”
• A recent study reveals that 20% of IT security managers and technical staff from enterprises and government departments admit to cheating on security audits or knowing of a colleague that did. An even larger percentage “cut corners” resulting in potential holes in audits or security compromises
• Problems are getting worse as companies slash budgets. Staffing issues, substandard or used equipment which may or may not be infected with viruses, and time constraints are all symptomatic of the economic pressure on this industry

It is important to realize that standards and procedures are wonderful tools, necessary to implement any security process or program. However, a chain is only as strong as the weakest link. In this case, the links are made of people, and it only takes one lie or misrepresentation to create millions of dollars in loss.