I recently came across a story on PCI in SC Magazine [June]. This particular story was about the election of an advisory board for the PCI Security Standards Council. What caught my eye was the quote from the chairperson, Seana Pitt: "This gives PCI users a seat at the table."
Now who does not want a seat at the table? I have seen many comments about PCI. Some say it is over-prescriptive, impossible to implement and that there is no "voice" from the merchants or processors, and so on.
Now you have a voice. Voting privileges, previews of enhancements to the standard, and a dialogue with stakeholders are just some of the benefits. This is a very significant development from many perspectives.
Financial institutions have a similar roundtable [BITS], which has very restricted, exclusive membership, but PCI is open to all people and institutions dealing with cardholder data.
Similar to the small number of PCI-compliant companies, there are only about 200 participating organizations currently. Compared to the humongous number of companies that deal with cardholder data, this seems like a very small number. Hopefully the word will spread and PCI will reach the critical mass after September when the payment brands are expected to crack the whip with fines.
Keeping PCI standards current will be a Herculean task. The challenge will be to adopt best practices and controls from other security frameworks to make it a more comprehensive and universal standard so that we don't need multiple audits. If you really want to make a difference, you should actively participate in this grassroots effort.
With more highly publicized breaches, consumers and lawmakers will demand federal intervention and laws. Minnesota became the first state to pass a law referencing PCI compliance. Texas has been working on a similar law.
I am sure many will agree with me that whether or not PCI or any other regulation mandates these controls, we must follow these best practices.
So instead of worrying about the onslaught of domino effect legislation, I will continue with our ongoing, annual PCI and internal security standard work. That should keep me quite busy until Jack Bauer and 24 return for another season.
30 seconds on...
Raising the bar
Don't be afraid to raise the bar yourself — PCI should be the minimum baseline, not the ultimate goal. Prepare a chart of all related controls from various frameworks (such as ISO, Cobit and NIST), to establish a benchmark. »Encryption
Another question to ask in the PCI process, before your company institutes any encryption is, do you really need to keep the sensitive data? Next, check if hashing, truncating or other methods will meet the requirements.
To reduce costs your enterprise can combine various audits into one. IT resources will benefit the most from one audit instead of multiple, time-consuming audits. Automate the compliance process wherever possible.
Celebrate and market security and compliance. Share the stories of the difficult compliance path with everyone within the company, as well as outside, so that people appreciate your commitment and remarkable achievements.