Straightforward Mandate
Whether it's mandating encryption or intrusion detection, eliminating vendor-supplied passwords, or ensuring that antivirus audit logs are kept current, PCI's clarity has won many converts. The standard sets out 12 requirements, which are detailed in multiple sub-requirements.
"[PCI is] very specific, clear and pragmatic," says Lynn Goodendorf, CISSP and vice president of information privacy protection at Intercontinental Hotels Group's U.S. headquarters in Atlanta. "People who have worked with traditional technology standards might not be happy because PCI doesn't meet a lot of the historical criteria to be called a standard. You can give it a different name, but PCI does seem to be very [useful] in terms of strengthening data security."
PCI is a common-sense approach to security, says Jennifer Mack, Cybertrust director of compliance product management. Customers "are loving PCI because now they have some driver to force their company into spending," she adds.
Barak Engel, CSO at LoyaltyLab, a San Francisco-based company that serves as its clients' outsourced CRM application, says PCI's clarity helps with encryption. "Everybody talks about encryption, and people have come to view encryption as a magic bullet. Deploying encryption properly is something the PCI standard provides a lot of detail on. It gives you solid and specific guidelines," he says.
Self-regulation of the sort PCI represents beats federal oversight, according to PCI implementers and observers.
"Most [other] regulations in the U.S. and other countries are written in broad language to allow for differences in various industries and business size," Goodendorf says. "This makes it difficult to impose technical specifications on technology vendors and to have a high level of confidence that compliance is adequate."
Plus, standards are generally easier to update over time than laws, she adds.
PCI also could lay to rest some ambiguity generated by the 1999 passage of GLBA, a piece of legislation that pushed banks, insurance companies and other financial institutions to protect consumers' financial information. GLBA's vague wording raised questions among other kinds of companies that collect consumers' private financial data, including credit card information, about the proper procedures they ought to implement to secure that data.
SANS's Paller notes that PCI is the only standard or regulation "at a low enough level to actually make a difference. Every other standard in security is at the 10,000-foot level."
Not everyone agrees on PCI's effectiveness. Earlier this year, Gartner Group released a report critical of PCI, noting that the standard "is too broad in scope, too detailed in some areas and not enough detailed in others.... That standard reads like a 'Best Practices Security Manual,' which, while laudable, goes beyond the immediate goal of protecting cardholder data."
Certainly, PCI is not a one-size-fits-all proposition, notes LoyaltyLab's Engel. "Each environment has certain quirks that need to be addressed."
For example, by complying with PCI, LoyaltyLab is able to assure that its customers--such as 1-800-FLOWERS--had peace of mind that their customers'
credit card data is secure, Engel says. In turn, the company had to identify a hosting provider who would be willing to "play ball with us," in part by agreeing to virtually separate LoyaltyLab's corporate network from the hosted environment. "Our list of requirements was a little bit longer," Engel says, but managed hosting provider RackSpace met the criteria.
