Posted by: David Schneier
PCI, Regulatory Compliance, Security
I’m a fan of diversification. Professionally or personally I strive to mix and match and switch things around to avoid falling into a rut and to keep things fresh; I’m hopeful the contents of my blog reflect on that. And yet, here I go again about PCI simply because one of my current projects has pulled it into scope and dropped it tap-dead center on my radar.
I participated in a conversation with a client late last week in which the standard was discussed and I’ve thought about little else since. Why the dramatics you ask? Because it brought to light another issue with the beleaguered framework that for me, comes at a time when it’s already teetering on the edge of credibility.
For all but Level 1 candidates, PCI allows for an organization to conduct their own self-assessment and determine whether or not they’re compliant. And so you don’t really know if the quality of the assessment is up to snuff and even beyond that you don’t really know if it covers enough of the landscape to truly be meaningful. To compound the issues around the self-assessment process is that the people typically responsible for PCI are focused primarily on trying to achieve compliance as if though that by itself is the goal. For them it’s a series of steps to go through and, if there are no significant issues noted, are able to lay claim to the grand prize commonly referred to as being PCI compliant. But is that really what was intended when the credit card companies formed the PCI Council?
If you go to the website (https://www.pcisecuritystandards.org) one of the first things that you notice is where it states that the “PCI Security Standards Council’s mission is to enhance payment account data security by driving education and awareness of the PCI Security Standards.” Where is the awareness when only a select few within a company are even aware of what is required by the standard? And how aware are even they if the focus is on doing what’s necessary to “pass” rather than working to push the related controls deeper into the infrastructure?
It’s not just that so many in-scope organizations fail to apply the standard properly (e.g. TJ Maxx, Hannaford, Heartland, etc.), it’s that they don’t see it as the blueprint that it’s intended to be. Being PCI compliant simply because a small (but representative) subset of your infrastructure passed the test is not the goal, having the proper controls effectively deployed across the entire infrastructure is. The standard was created so that you know where you need to be looking, what you need to be looking at and what the people within your organization need to be aware of in order to support the standard. It truly is intended to be more about education and awareness and less about acing an exam.
I sliced into Visa a few weeks back for their finger-pointing posture related to Heartland and in the past I’ve been known to criticize the PCI Council as well for similar reasons. Stop playing the blame game! Go back to the beginning, back to the basics and remember that the purpose of the exercise is to provide a basic set of controls that are required at a minimum to protect card member data. It’s up to each organization to make adjustments that reflect on their own unique infrastructure. And ultimately that infrastructure shouldn’t be measured by PCI-DSS but rather viewed through its lenses.
The credit card companies and their PCI Council should be incenting businesses towards a time and place where they can claim that they manage in a style consistent with the basic tenets of PCI and away from where they strive to achieve a point-in-time designation whose value expires the moment anything within their infrastructure changes. To quote Michael Douglas in “The American President” movie: “We have serious problems to solve, and we need serious people to solve them.” We need those in positions of influence to not pull back on PCI but rather push forward, make the necessary course corrections and continue getting the word out and providing support to those who need it. When the next breach is made public (because it’s already happened only we don’t know about it yet) I want to see the people in charge come out and tell us they’re committed to understanding what happened, why it happened and how they can adjust PCI to help reduce the risk of it happening again.
And really, in the end, what I want personally is the chance to obsess over something else and send PCI to the back of the blogging line.