PCI compliance is Zen-like. It's hard to determine, and even when a letter declares a company PCI-compliant, that declaration can always be retroactively reversed later — such as if you're breached. Yes, when you most need to be able to say that you are PCI compliant is when it's taken away. Isn't life wonderful?
What prompts this observation was a news release that crossed my desk a few days ago from Tenable Network Security. The release said the company had a new offering "that continuously monitors and maintains Payment Card Industry Data Security Standard (PCI DSS) compliance posture." Monitors? Yes. Maintains? That is not something that software — any software — can do.
That's more the fault of how PCI works than anything that Tenable does — and it's fair to say that almost every security company oversimplifies PCI compliance.Tenable is selling an idea that retailers would so very much love to be true. But it's not.
First off, for a merchant to be considered PCI-compliant involves an opinion from the QSA (qualified security assessor) it pays for, plus the agreement from the relevant payments processor and sometimes one of the card brands (Visa, Mastercard, Amex, Discover, etc.) themselves. Those decisions are often made on security issues, but political and profit motives can also play a role.
This gets worse. Let's say that the QSA finishes the assessment on July 1. It may take a couple of months before everyone signs off and the merchant gets a letter granting PCI compliance. Let's say that letter arrives Sept. 1. It doesn't say that the retailer is compliant. It merely says that back on July 1, it was compliant. And as mentioned above, even that will be stripped away if it's really needed, such as if a breach happens.
The reason why compliance is tied to the date the assessment was wrapped is that, in theory, any change at all to anything on the network could make that merchant noncompliant. I get that. It makes sense. But what good is PCI compliance if a retailer never knows if it is compliant? It's this amorphous concept that is unattainable.
This brings us back to Tenable's claim. No software can maintain compliance. When I reached out to Tenable, it quickly conceded the point and changed the release on its site to say that its product "continuously monitors Payment Card Industry Data Security Standard (PCI DSS) compliance posture." Better, but no cigar.
The idea of monitoring suggests that the software will flag when compliance is there and when it isn't. Unfortunately, given how PCI works in the U.S., that's also not knowable.
Most PCI vendors — and I say "most" because I am trying to be charitable — treat PCI as though it can be managed.
Let me be clear. As far as I can tell, what Tenable is offering is quite valuable and is arguably one of the most robust security packages out there today. It will almost certainly help merchants keep their QSAs happy, since it will flag common areas where merchants get into security trouble. Indeed, it even tries to address cloud computing and mobile problems by watching network ingress and egress. That way, if someone is touching payment card data and downloading it to some device, it's tracked.
But it can't track PCI compliance — which is a human-dictated state — any more than it can declare a system "secure." A system can be made more secure than it was an hour ago, but no system can ever be considered entirely secure. The same goes for PCI compliance. It's frustrating, but true.