Beyond the checkbox: PCI DSS
Beyond the checkbox: PCI DSS
An upcoming update of a credit card standard offers an opportunity to assess overall security, says Symcor's Della Shea. James Hale reports.For any organization that wants to do business without using cash, the Payment Card Industry Data Security Standard (PCI DSS) is akin to table stakes: It's both a contractual agreement with card issuers and a guarantee of security to customers. Complying with its 12 principles is not an option for those who store, transmit and/or process cardholder data, and remaining compliant means keeping pace with the standard as it evolves to reflect emerging security concerns. Introduced by the world's five leading card companies in December 2004, and managed by the PCI Security Standards Council (PCI SSC), the standard is updated every three years after extensive consultation with a wide range of players.
On the eve of a new version of the PCI DSS – set to be released on Nov. 7, and take effect Jan. 1 – many eyes are on the card industry to see what changes the new standard will bring. In advance of the release, those in the know are guarding the specifics, but in general terms it is anticipated to address issues of what falls within the scope of the standard, as well as network segmentation (i.e., where cardholder data resides within network devices), and defense fortification to ward off specific threats that have been identified since the 2010 release. In addition, the new requirements are likely to address card data handling in mobile, cloud and e-commerce environments in the wake of previous guidance issued by the council.
In some quarters, interest in the new release reflects concerns that the revised standard will add to the burden of compliance. After all, even the PCI SSC admits that understanding and implementing the dozen requirements, with their hundreds of sub-categories, can be daunting, especially for merchants without a large IT department or the resources to outsource compliance guarantees to a qualified security assessor (QSA) that the council has approved. Meanwhile, some skeptics question the continued relevance of the standard in the face of new technologies, such as tokenization, point-to-point encryption and chip cards. Still others are far more optimistic, like Della Shea, chief privacy officer for Symcor, a Toronto-based financial processing company owned by Canada's largest three banks – sees the new release as an opportunity to refocus on overall security.
Shea is one of a number of observers who believes that companies have placed too much emphasis on merely meeting the minimum requirements set out in the 12 steps.
“We need to get back to the original spirit of the PCI DSS,” she says. “Too often, companies take a ‘checkbox' approach and just try to be compliant for its own sake. They're missing the larger picture.”
Bob Russo (left), general manager of the PCI SSC, likens compliance to putting deadbolts on your house: You can install the locks to qualify for home insurance, he says, but how secure is your home if you don't use them? “PCI standards are just a springboard to overall security for organizations entrusted with cardholder data,” he says.
Craig Spiezle, executive director and president of the Online Trust Alliance, a Bellevue, Wash.-based nonprofit whose goal is to promote innovation in online transactions, agrees. “Compliance is just a slice in time, a minimum threshold,” he says.
Shea, whose company provides services to more than 100 clients in the retail, banking and telecommunications sectors, says that if meeting PCI compliance can be compared to climbing Mount Everest, maintaining compliance is like living on the mountain. One mistake that many companies make, she says, is viewing compliance as merely a technical issue. That approach can be expensive and limiting.
“You need to take a business approach to compliance,” she says. “That means you need to have a business model, you have to fully understand it and you must be able to replicate whatever success you achieve.”
An enterprise-wide approach is critical, she adds. “You can't maintain PCI compliance unless all your stakeholders are completely onboard. It's very easy to separate issues into silos rather than sharing information and creating a common compliance culture.”
And, creating that culture throughout an organization demands strong and effective operational and governance models, she says, espousing some sound business basics that are often preached within corporations. Her ideal approach to compliance management begins with having key milestones and a dedicated budget. Next, it requires that someone maintains overall responsibility and follows through with a program of education, communication and proven change management principles.
Given the high stakes involved in handling consumer card data, failure is not an option, she says. “The goal of achieving and maintaining security in this environment forces you to be pragmatic.”