This past October 4, at around 12 pm EST, Facebook—along with sister properties Instagram and What’sApp—ceased to function and remained offline globally for almost six hours. But what does that have to do with PCI compliance? Plenty, according to the Electronic Transaction Association’s (ETA) Risk, Fraud & Security working group.
A recent blog post on the ETA’s website features a summary of the group’s commentary around the outage and its connection with PCI. Here’s what the committee had to say.
Just because a business is PCI compliant, doesn’t mean it can withstand an outage like the one experienced by Facebook
The CIA Triad of Information is a model many businesses follow to stay ahead of cyber-threats and adhering to it can be considered the first step in PCI compliance. The “C” stands for confidentiality (limiting access to data to authorized parties only); the “I,” for integrity (assurance that the information is trustworthy and accurate); and the “A,” for availability (a guarantee that authorized parties will have reliable access to the information they need).
Outages, denial of service attacks, and ransomware affect availability, which in turn may have a negative impact on a business — “to wit, Facebook’s loss of $40 billion in market capitalization due to the outage,” committee members note in the blog. However, they observe that the PCI DSS is not directly concerned with availability; instead, it focuses primarily on the confidentiality of cardholder data and, to a certain degree, on the integrity of authentication credentials and certificates used to provide that confidentiality. “This doesn’t mean that availability isn’t important,” the authors write, “only that being PCI compliant (offers) little assurance that you can withstand an outage like the one that struck Facebook.”
Outages may impact security controls
The outage prevented many people from using Facebook’s single sign-on (SSO) security control for authentication. According to the group, “this brings to light the fact that outages may actually impact security controls.” Committee members recognize that while this issue is not directly addressed in the PCI DSS, other PCI standards established by the PCI Security Standards Council (PCI SSC) “contain specific controls that are relevant.” Such controls include P2PE (peer-to-peer encryption) and SSF (the PCI Security Software Framework).
Both controls, committee participants point out, “can help dictate” that when a security control fails, entities must ensure that the failure does not have a negative impact on the environment. They must also address the lapse in security with fallback controls. For example, a loss of SSO availability leads to a fallback to another authentication method that has not yet been assessed for issues like default passwords, encryption, or multifactor authentication would be considered a security reduction for entities subject to standards like P2PE and SSF.
The fact that the outage occurred doesn’t necessarily mean cloud services shouldn’t be used for important components of security
Cloud services can yield benefits like scalability, flexibility, and reduced costs, in turn freeing up funds for organizations to invest in other security controls or other risk-mitigation initiatives that would more than compensate for losses caused by “unlikely” outages, committee members observe. Given this fact, they advise entities that utilize cloud services for security purposes to conduct risk assessments of these services and cite loss of availability (access to their system) as a possible risk scenario.
Among other suggested measures: estimating the impact and likelihood of loss of availability and exercising fallback measures to decrease residual risk. Committee members also advise entities to decide for themselves whether their cloud strategy can withstand the consequences of incidents like the outage in case such an event should impact them or one of their security or infrastructure vendors.