PCI-DSS is far more prescriptive than most regulations and industry security mandates, but its laundry list of requirements still generates plenty of controversy and confusion.
So, every organization, from the Level 1 mega-merchant to the smallest Level 4 credit union, continues to wrestle with questions like, "Are we compliant?" "Are we spending too much?" "Are we spending smart?" and, the question that sometimes gets lost in the scramble to comply, "Are we secure?"
The new PCI Knowledge Base presents PCI research, a panel of PCI experts and forums for merchants, assessors, security managers, and others trying to understand and apply the PCI standards. Working with IT research firm TheInfoPro, it has produced preliminary research on best practices, the use of various security tools, ways to deal with virtualization in credit card holder environments, supplier/partner security, and spending. The new portal will eventually sell research services and sponsorships.
"We want to get people aware of the difference between compliance and security," said David Taylor, founder of the fledgling PCI Knowledge Base. "I don't think a security professional generally believes that compliance and security are the same, but there's plenty of people in upper management who've been told we've got to spend these hundreds of thousands of dollars, which is typical range; to get compliant."
There's a danger that an organizations can develop tunnel vision dealing with PCI at the expense of a sound security program, according to Burton Group analyst Randall Gamby.
"You get verticals of security solution sets when you really have to look at a general security policy," Gamby said. "If someone gets too focused on just PCI, other initiatives can start to slip and you may expend additional monies fulfilling one particular requirement, when there may be another requirement in another regulatory body that could be answered in the same way."
Organizations often spend money on tools, but lack the resources and/or the policies and processes to make effective use of them. For example, they may buy a log management tool but fail to dedicate people to monitor and respond to potential issues. Or they install a Web application firewall but fail to monitor alerts and remediate vulnerabilities. Some simply don't know where to start beyond attempting to check off the 12 PCI standards. Some companies pay big money for guidance, but most can't afford pricey consultants.
"I made a very good living being a PCI consultant for the last few years," said Taylor, "but why would a Level 3 or Level 4 pay that kind of money? They're not going to. We wanted to get together with a bunch of folks--the panel of experts, assessors, on all sides of the equation and put together information that would actually help level 3s, level 4s do this themselves."
"The good news is that we now have a forum where people can start voicing questions and opinions and start getting answers," said Burton's Gamby. "It's nice to say what the general best practice seems to be by going to this environment and seeing what most people believe. This gives you a general populous understanding around the various modules and issues around PCI."
Gamby cautions that the Knowledge Base is not yet anywhere close to that point. At this stage, he sees a collection of opinions, but not the kind of exchange he finds in good newsgroups, where people help each other solve problems. In particular, more assessor participation is essential.
"I don't see a lot of auditors, assessor type folks there," he said. "The auditors are the ones who have to get in there and put comments in so people can know what to do."
That being said, he believes the Knowledge Bases' value will grow as more people exchange information on specific issues.
"Once more people are interacting on a particular topic area, we're going to be able to say, 'this really is best practice because 75% of the people believe this is the right way of addressing that.'"
Developing that caliber of forum is a high priority, Taylor said. He wants to get everyone touched by PCI to contribute."Everybody does know something, and all we want to do is capture what they know," he said. "Everyone is smart, you just have to figure out about what."