The Art of the compensating control

Jonathan Care

Paresh Deshmukh
Global Security Consulting

What is a compensating control?

+ In the past:

Everything from a legitimate work-around for a security challenge to something that the CIO wants to achieve

+ Now:

Based on a risk analysis Legitimate technological or documented business constraint

+ Four criteria for validity:

Meet the intent and rigor of the original PCI DSS requirement Provide a similar level of defence as the original PCI DSS requirement Be above and beyond other PCI DSS requirements (not simply in compliance with) Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement

What compensating controls are not!

+ Not a short cut to compliance

Harder to do Cost more money in the long run than addressing the original issue

+ Not a permanent solution for a compliance gap + There is no compensating control for storing sensitive authentication data after authorisation + While there is no defined lifespan for compensating controls, they must be reviewed as part of the annual assessment

Does it (still) meet the four criteria? Does the original constraint still exist? Is it still effective in the current security threat landscape?

Who approves compensating controls

+ Initial approval is by the complying organisation

Will this work for my organisation? Can we support this?

+ Second stage approval is by the QSA

Does this meet the criteria for compensating controls? Am I willing to put my name to this?

+ Final stage approval is the Acquiring Bank

Substantial documentation is required Open channel of communication

Lunchtime fun: The compensating control cha-cha

+ Encryption is a hotly debated topic

Just do it Its a mainframe RAID-5 Transposing digits in PAN Disk only encryption inside the data centre without additional user credentials Transparent encryption appliances

+ Things that arent encryption

+ BUT ALSO

+ By the way, encryption is not the problem with Requirement 3 key management is!

Using COBOLs Random number generator to generate 16 digits (128 bits) leads to
Lack of randomness due to entropy issues Elimination of keyspace leading to only 53 bits of possible key material

Sample Compensating Control (1)

+ Routers do not support SSH (PCI Requirement 2.3)

+ Databases need encryption (PCI Requirement 3.4)

+ Costs:

Financial Institution

Corporate Offices

Original cost estimates of upgrade: 125MM

Application Servers

Database Servers

Mainframe

+ Risks:

Card numbers are not encrypted at the point of sale Routers/Switches can redirect or span traffic for capture

Associate

Customer

Sample Compensating Control (2)

+ Transaction Data:

Now encrypted at the point of sale using Industry Accepted algorithms Stays encrypted until passed to financial institution

Financial Institution

Corporate Offices

+ PANs are replaced with reference numbers when transaction returns + Mitigated risks by rendering the data unreadable

Application Servers

Database Servers

Mainframe

Associate Unencrypted Card 4111111111111111

Customer

Encrypted Card Number: aWxvdmVjcmVkaXRjYXJkcw==

Compensating control Ju-Jitsu (The Art of Compliance)

+ Reduce the scope of PCI to the bare minimum required

Can you truncate PAN data? Does your ecommerce site really need to be in the payment flow?

+ Ask the hard questions

Why do you need this? What would you do without it?

+ In the event of a breach, how will this assist a forensic investigator?

Compensating control Ju-Jitsu (The Art of Compliance)

+ Not the golden parachute of compliance initiatives. + Require work to build effective ones that will pass the scrutiny of both a QSA and an acquiring bank (or card brand).

Compensating controls may help you lower the bar of compliance in the short term, but remember, only you can prevent a security breach.

Data Breaches vs. Data Protection (Heres Why)

**Gartner Toolkit Presentation: PCI Compliance Is Hard to Achieve but Worthwhile - 4 May 2007

10
Confidential and Proprietary

10

Data Breach Concerns

Source - Verizon 2009 Data Breach Report

11
Confidential and Proprietary

11

Final Thought : Why be compliant?