It was hard to brush aside comments made by First Data CISO Phil Mellinger, who suggested at a recent forum that the Payment Card Industry's Data Security Standard (PCI DSS) should be overhauled to eliminate subjectivity, ease restrictions and help more merchants comply. After all, Mellinger did develop the precursor to the current standard.
But this week I haven't found many people who agree with him. During a panel discussion on identity fraud in New York Tuesday, I asked a couple financial practitioners if the rules should be eased to help more merchants comply. Kevin Dougherty, senior vice president of information services at Orlando, Fla.-based CFE Federal Credit Union, summed up the consensus in the room when he said, "It's our responsibility to meet the bar that's been set."
Many industry professionals seem to share that attitude, if a recent scan of the blogosphere is any measure.
Let's start with SearchSecurity.com's own Security Bytes blog, where we ran some comments from those who have followed our coverage of Mellinger's talk.
Chris Noell, an executive analyst, CISSP and QDSP, wrote that Mellinger's suggestion for a simpler standard that rises over time would have been a good idea at one point, but that given where we are today, it would be a step backwards.
"Over the last four years, numerous merchants and service providers have told me that they are reluctant to do anything until the very last minute because the card brands have a way of changing their standards, invalidating compliance investments," he wrote. "Lowering the bar now would just confirm this suspicion and cause an erosion of credibility. The 35% of Level 1 merchants who are currently compliant would feel like they had wasted money and would be understandably bitter."
Rick Hayes wrote that Mellinger is missing the boat on PCI. "Obviously, there is an issue with merchant compliance," he wrote. "This is compounded by the fact that generally it takes anywhere from 18-24 months to actually meet the requirements of the 'dirty dozen.'"
But, he added, relaxing PCI DSS will not have any effect other than to increase the likelihood of more data breaches. "It certainly won't mean that more merchants will become compliant," he said. "What needs to be adjusted is the timeline, not the requirements. I don't think anyone in their right mind would or should argue that implementing such basic tenants of security is a bad thing. That is really what PCI is about -- basic security best practices."
The Ambersail infosec blog offered a similar perspective. It expressed sympathy for organizations the size of First Data and said compliance must be tough for them. But lowering the compliance requirements isn't the answer. In the end, the blog said, PCI DSS compliance demands the types of security procedures companies should already be taking.
"Compliance is tough for everyone, big and small," the blog said. "And what we had before was, well, nothing really. Chaos."
Moin Moinuddin, a self-described industry architect with Microsoft Corp., wrote in his ARC Thoughts blog that PCI DSS compliance is good for a company's security and cost controls.
"For example," he wrote, "a retailer who had never really done an internal assessment before now did this and [it] resulted in [the] consolidation of servers in the stores using [a] virtual server product. So this helps in reducing overall cost of maintenance in addition to improving security."
The bottom line is that nobody is accusing Mellinger of giving up on PCI DSS or security. Many people agree the standard could use some changes. But they also believe companies are having trouble with PCI DSS because their security programs were lacking to begin with.
The last thing companies like that need is an easier ride to compliance.