The original intent of the Payment Card Industry Data Security Standard (PCI DSS)--which grew from the early Visa Cardholder Information Security Program (CISP) initiative in 2001--was admirable. The objective: create an open security standard that was achievable by all merchants for the protection of cardholder data. Unfortunately, the program has lost its way in many respects.
Today, PCI DSS is complex and costly, especially for smaller businesses. Many of these costs and complexities are unnecessary and avoidable. For instance, the PCI Security Standards Council, formed last year, charges security vendors between $10,000 and $30,000 annually to be listed as a qualified security assessor and between $5,000 and $10,000 annually to be listed as an approved scanning vendor. Charging companies fees to provide CISP/PCI audit and scanning services was not part of the original plan for the standard, nor was the council.
This has the potential to warp the program in several ways. First, several reputable and respected industry certifications for information security professionals already exist: CISM, CISA and CISSP, to name a few. These are both affordable and provide reasonable assurance of IT security competence. This begs the question: Does the industry need an organization whose core competency isn't information security issuing credentials to assess security?
Thinly veiled as a certification process, these fees also push smaller, but often equally or more qualified security consultants to the sidelines. Consultants who pay the fee have no choice but to pass this cost on to their clients. It strikes me as a conflict of interest for an organization empowered to levy sanctions for non-compliance on one side to also charge vendors large fees to participate on the other. In fact, it artificially drives the cost of compliance up, and the rate of compliance down.
Unwarranted complexities in the standard also are raising the cost of compliance. For example, just to answer the self-assessment questionnaire accurately, many small merchants must hire teams of experts to help them interpret the intent of the questions.
Because of these and other complications, many merchants remain non-compliant to many facets of PCI DSS. This could be solved by simplifying parts of the standard. One way to do this would be to tie the standard to specific guidance in existing information security standards such as the NIST 800 series publications or ISO 17799. The guidance in these is more sensible and, with context around each specific requirement, they're easier to understand and implement. With more straightforward standards and an abundance of security industry certified assessors and scanning vendors, merchants would be much more likely to successfully comply.
Moreover, the current PCI DSS enforcement scheme won't work. The conflict of interest is too high. Even if Visa (which is an association owned by its member banks) requests a merchant be sanctioned, it's up to acquiring banks to enforce the penalty--something they're not inclined to do. Perhaps the answer is to institute an external organization--fully detached from the payment industry--to impose sanctions, as is the case with other regulations.
While the overall goal of PCI DSS is laudable, it's grown into an administrative and costly beast riddled with conflicts of interest. The standard needs to be revised into a clear, attainable, affordable and enforceable open standard. Only then will the industry reach the ultimate goal of increasing merchant and payment system security, and restoring consumer trust and confidence in electronic transactions.