Our featured theme this month on SearchSecurity.com has been the Payment Card Industry Data Security Standard, specifically PCI DSS 2.0.
To get the shameless plugs out of the way, be sure to
Since we've been living and breathing PCI DSS this month, I thought I'd offer up a few short observations and common themes that seem to be reflective of what's happening with PCI DSS 2011 compliance programs.
PCI old news? Think again: In the PCI 2.0 guide we published last year just after the new standard was released, experts Ed Moyle and Diana Kelley made it pretty clear that while some minor-yet-notable changes were expected in the updated version of the standard, there would be no jaw-dropping alterations. That of course proved correct. Because the rules and the resulting compliance processes weren't going to change much, we thought that interest in PCI 2.0 among enterprise security and compliance pros would briefly spike, but then quickly return to normal.
However, according to our informal measurements, interest in PCI DSS might be greater than ever. Attendance at our recent virtual seminar was amazing, questions from readers about PCI keep coming in at a rapid clip, and it seems like we can't give you enough new content on PCI. What's the key reason why PCI is more top-of-mind than ever?
Enterprises want to land on PCI 2.0's long runway: Many security experts and pundits have criticized the PCI Security Standards Council for publicly committing to a three-year cycle for PCI 2.0. The rapid pace of technology evolution, they argued, makes it difficult to justify a 36-month span between revisions. Plus with a threat landscape seems to change monthly or weekly, especially in regard to application attacks, some feared that a lengthy period without a PCI update would, by default, "lower the bar" (as The 451 Group's Joshua Corman eloquently expressed recently) and in essence provide companies with a false sense of security.
But it would seem that, in retrospect, the SSC knew what enterprises needed. With no planned update to the DSS until approximately October 2013, enterprises have a longer period of time to confidently purchase products and implement processes knowing that they'll realize a return on their investments because the rules won't change during an unexpectedly lengthy assessment cycle. Nobody likes to admit it, but there are plenty of companies out there that have found ways to cut corners, get creative with compensating controls or even dodge PCI compliance altogether. The time for PCI excuses is over, thanks in large part to the three-year cycle. I believe that's a major part of why interest in PCI has surged: organizations know it's time to get serious.
"Sure, we love the cloud. Just not for PCI-covered systems and data": There's been no hotter topic in IT during the past two years than cloud computing (though my colleagues at SearchServerVirtualization.com might take exception). We've talked with many organizations actively pursuing cloud computing projects that involve moving a variety of IT systems into the cloud. Cloud computing has been such a phenomenon that I wrote last year that I was concerned security pros weren't being the cloud computing skeptics their organizations need them to be. However, it seems skepticism about cloud computing security reigns: according to an informal survey of participants in our recent virtual seminar, approximately four out of every five say their organizations would not outsource data and applications that fall under the scope of PCI DSS to a cloud provider. There are no doubt a variety of reasons – basic security concerns, worries about passing a PCI assessment and even simple logistical roadblocks – but the message is clear: PCI has many organizations thinking twice about cloud computing
- Yes, "quarterly scanning" means scanning every quarter: Finally, in the time we've been covering PCI, I don't think any other topic has received as many questions as this one. But to be clear, quarterly testing or scanning is required in the cardholder data environment, including on internal and wireless networks as well as externally. This means four scans from an approved scanning vendor (ASV); no, your brother-in-law doesn't count. If you scope out a good portion of your network, then good for you because you can reduce the scope of your scans, but to be compliant by the letter of the standard, these scans must be conducted each and every quarter. It's a burden, especially for large retailers, and it can be costly, but it is necessary.
So what's next for PCI? As companies transition in the PCI DSS 2.0 guidelines with the start of new assessment cycles, it'll be interesting to see whether spending on PCI compliance goes up, goes down or remains basically unchanged. We'll also be watching the four PCI SSC Special Interest Groups that may recommend changes to the standard in the future in the areas of pre-authorization, scoping, virtualization and wireless, respectively. It's way too early to speculate how the next version of the PCI DSS will change, but expect the most significant changes to be in these four areas, and the SIGs will provide the first clues on what those changes might be.
About the author:
Eric B. Parizo is Senior Site Editor of TechTarget's Security Media Group. His rants can be heard each month on SearchSecurity.com's Security Squad podcast.