BOSTON -- Far too many merchants try to compete with the Payment Card Industry Data Security Standard (PCI DSS), finding ways to implement compensating controls to gain compliance with part of the standard and they end up spending way too much money in the process.
"If you don't agree with a particular PCI provision and you think you can do things better, that's fine, but you have to build a case for a compensating control," said Anton Chuvakin, co-author of "PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance."
Chuvakin, an independent consultant focusing on logging, SIEM and PCI DSS compliance, spoke on ways merchants can more effectively address PCI issues and achieve PCI security compliance during a session "PCI Done Right and Wrong," at SOURCE Boston 2010 last week. He was joined by the book's co-author Branden Williams, a former PCI qualified security assessor and director of security consulting at RSA, the security division of EMC Corp.
PCI security compliance:
Understanding tokenization amid PCI encryption requirements: This mini learning guide offers a brief introduction to tokenization technology, as well as PCI DSS encryption requirements.
PCI compliance requirements guide: Diana Kelley and Ed Moyle know the Payment Card Industry Data Security Standard inside and out. Do you? In this series of videos, the PCI pros take each of the standard's 12 requirements and review how you can pass them all with flying colors. Kelley and Moyle also share the most common mistakes they've seen during audits.
Guide to passing PCI's five toughest requirements: This learning guide will review a few of the more challenging PCI DSS requirements and provide some tips that enterprises can use to achieve PCI DSS compliance.
When most merchants begin assessing their environment against the PCI standard, there will be a gap between the current environment and the implementation of PCI controls. If the enterprise is going to implement security technologies to comply with PCI, be prepared to maintain it, Chuvakin said. Most organizations must understand that PCI is the floor, not the ceiling, he said. Companies should work toward exceeding the baseline and ensuring that PCI security compliance initiatives are a continuous process.
"If you think the QSA is your enemy, you've missed the opportunity to improve security at your organization," Chuvakin said. "After validating compliance don't stop. Security is your goal not compliance; not passing an audit."
More enterprises need to think of the QSA as a partner, not their adversary. Work with a good QSA to get an objective assessment, Williams said. It's important to pick a QSA that understands the business because "ultimately you don't want someone making a decision that breaks your business," Williams said.
Other organizations get caught up treating compensating controls as a shortcut. Nearly all enterprises implement at least one compensating control during the PCI compliance process, but the approach must be taken cautiously, he said.
"I've seen cases where a company sat around for six months working on a compensating control," Williams said. "In the end, to fix the problem would have cost $3 million, but doing the compensating control came in at $6 million."
One common misconception among merchants is that acquiring banks require the merchant to retain credit card data for seven years after a transaction has taken place. Most firms can eliminate the actual credit card data, Williams said.
"You can go back and scrub the data," he said. "You don't have to have a credit card number for seven years, just a record of the transaction."
Both experts urged attendees to find experienced assessors and avoid misrepresenting the company's current environment.
"If you treat your QSA like an auditor, they're going to ask closed-ended questions and you're not going to have success," Williams said. "Ultimately, the goal is to improve overall security."