Last updated at Wed, 30 Aug 2017 00:20:13 GMT

You said "Minimum." Really?

How we can be sure that the PCI DSS requirements are sufficient and stay aligned with the evolution of attacks? This is a fair question raised by Mike Mitchell VP global network operations at American Express and chair person at the PCI council.

On page 7 of PCI DSS V2 one could read that "PCI DSS comprises a minimum set of requirements for protecting cardholder data, and may be enhanced by additional controls and practices to further mitigate risks." The term “minimum” in the above statement made me anxious and I felt the need to clarify if PCI DSS was really about the least possible requirements that an organization should implement to protect the sensitive data. Don't we left something critical on the side?

For this purpose I had the idea to compare PCI DSS against another guideline considering also the least possible set of security measures that one should consider to implement an effective defense against known attacks, namely the SANS Top 20 Critical Security Controls. Through this analysis I was looking for answers to the following questions:

  • What are the connectivities between PCI DSS and SANS Top 20 Critical Security Controls?
  • Which controls map which requirements?
  • Which of PCI DSS or SANS is the most prescriptive, the more demanding?
  • What are the gaps and how wide are they?
  • And finally: What's the value of PCI DSS on a security scale?

This newsletter provides you some insights into the outcome of this analysis. The detailed analysis paper could be found right at the bottom of this newsletter.

            PCI or SANS: who's gonna win?

On my right, PCI DSS

The bible, as I used to call it, is considered by the security community as one of the more pragmatic and prescriptive standard on the field. PCI DSS is organized into 6 domains, 12 requirements, about 200 sub-requirements and about 500 validation points. PCI DSS contrasts with other standards such as ISO 27002, FISMA or HIPPA by the way it tells you what to do, how to do it, how to validate implementation and even how to prioritize your roadmap.  Read PCI 30 seconds newsletter #8 – DSS in a nutshell.

On my left, SANS Top 20 Security Security Controls

SANS identified a subset of security control activities that security responsible individuals can focus on as their top shared priority for cyber security based on attacks occurring today and those anticipated in the near future. These Top 20 Critical Security Controls were agreed upon by a consortium including NSA, US Cert, DoD JTF-GNO, Department of Energy Nuclear Laboratories, Department of State, DoD Cyber Crime Center plus the top commercial forensics experts and pen testers that serve the banking and critical infrastructure communities.They map directly to about one-third of the controls identified in NIST Special Publication 800-53 rev 4 and correlate to the highest technical and operational threat areas for the federal agency enterprise environment as well as private sector enterprise environments (see the FISMA Compliance Guide - note: registration required).

This tedious analysis revealed important gaps in both PCI DSS and SANS Top 20 Critical Security Controls when compared again each other.

The PCI DSS versus SANS Top 20 critical security controls perspective

40% Is the value of PCI DSS along the SANS Top 20 critical security controls axis.

On the total of 190 security sub-controls constituting the SANS Top 20 Critical Security Controls, 28 are partially covered in PCI DSS, 59 are fully covered while 103 of these sub-controls aren't covered by PCI DSS.

If PCI addresses all SANS Top 20 Critical Security Controls with the exception of #2- Inventory of authorized and unauthorized software, this study reveals a poor coverage in PCI DSS at the level of the technical security sub-controls of SANS.

The top three controls best covered in PCI DSS are:

#18- Incident Response Capability (100% of matches)
#16- Account Monitoring and Control (58%)

#14- Maintenance, Monitoring, and Analysis of Audit Logs.

The least covered controls in PCI DSS are:

#1-Inventory of authorized and unauthorized devices and software

#2-Inventory of authorized and unauthorized device and software

#4-Continuous vulnerability Assessment and remediation
#5- Malware defense

#15 - Controlled Access based on the need to know.

The other controls are covered with an average of 42%.

The SANS Top 20 Critical Security Controls versus PCI DSS perspective

49% Is the value of SANS Top 20 Critical Security Controls along the PCI DSS axis.

On a total of 180 sub-requirements constituting the PCI DSS 12 requirements, 8 are not applicable within the context of SANS Top 20 Critical Security Controls, 21 are partially covered by SANS, 73 are fully covered and 78 are not covered by SANS.

The study reveals that PCI DSS is much better structured and covers a wider spectrum of security domains than SANS Top 20 Critical Security Controls. Physical protection, policies and procedures, line and data encryption are poorly or not addressed by SANS Top 20.

The best covered requirements in SANS Top 20 are:

#5 - Use and regularly update anti-virus software or programs (100%)

#11 - Regularly test security systems and processes

#1 - Install and maintain a firewall configuration to protect sensitive data (90%)

#2 - Do not use vendor-supplied defaults for system passwords (88%)

The least covered requirements in SANS Top 20 are:

#3 - Protect stored sensitive data (4%)

#9 - Restrict physical access to sensitive data (10%)

#12 - Maintain a policy that addresses information security for all personnel (24%)

#7 - Restrict access to sensitive data by business need to know (28%).

The other requirements are covered in SANS Top 20 with an average of 61%.

A potential explanation for these deviations is the fact that PCI DSS is feeding a compliance program that ought to be flexible and affordable by a variety of profiles with different level of knowledge's while SANS Top 20 Critical Security Controls are concerned about security and target a more specialized audience.

According to Mike Mitchell, VP global network operations at American Express and chairperson at the PCI council, PCIco objective is to integrate Security in organizations everyday business. This study underlines that neither of PCI DSS or SANS Top 20 Critical Security Controls seem to cover the least sufficient enough measures to defend against know attacks.  Therefore, the community would greatly benefit of a new standard combining the best of PCI DSS and the SANS Top 20 Critical Security Controls. Are there candidates for such an enterprise?

I would like to conclude with this great statement of Bob Novak, Enterprise/IT Architecture and Security:

I have used PCI as a framework in the past to help jump-start security programs.  I have used PCI for this purpose because technologist can understand PCI's simplistic requirements and can self-assess and self-correct easily where PCI is concerned.  If confronted with security controls (i.e. SANS, etc.), however, the eyes of technologists seem to glaze over – and they do not know where to start.  The security controls need to be translated for them into language they understand – or their efforts stagnate.  Thus I consider PCI a helper framework to precede SANS, NIST, CobIT, etc. in a two-phased evolution to a viable security program.”


Get the detailed analysis paper of the PCI-SANS Top 20 Critical Security Controls

Get the FISMA Compliance Guide here.

Get the PCI Compliance Dashboard including SANS Top 20 Critical Security Controls

Visit the Rapid7 website for more PCI DSS compliance content


What is your perspective on these results?

Are you confident about the minimum bar of PCI?

Is it too much or too low?

Do you see this analysis as valuable for the security community?

Did not yet read our previous newsletter #19 - Your PCI Logbook - What is required in terms of log management?