PCI portal aims compliance guidance at smaller merchants

By Neil Roiter, Senior Technology Editor, Information Security magazine 12 May 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

PCI-DSS is far more prescriptive than most regulations and industry security mandates, but its laundry list of requirements still generates plenty of controversy and confusion.

This gives you a general populous understanding around the various modules and issues around PCI. Randall Gamby, analyst, Burton Group

So, every organization, from the Level 1 mega-merchant to the smallest Level 4 credit union, continues to wrestle with questions like, "Are we compliant?" "Are we spending too much?" "Are we spending smart?" and, the question that sometimes gets lost in the scramble to comply, "Are we secure?"

The new PCI Knowledge Base presents PCI research, a panel of PCI experts and forums for merchants, assessors, security managers, and others trying to understand and apply the PCI standards. Working with IT research firm TheInfoPro, it has produced preliminary research on best practices, the use of various security tools, ways to deal with virtualization in credit card holder environments, supplier/partner security, and spending. The new portal will eventually sell research services and sponsorships.

"We want to get people aware of the difference between compliance and security," said David Taylor, founder of the fledgling PCI Knowledge Base. "I don't think a security professional generally believes that compliance and security are the same, but there's plenty of people in upper management who've been told we've got to spend these hundreds of thousands of dollars, which is typical range; to get compliant."

There's a danger that an organizations can develop tunnel vision dealing with PCI at the expense of a sound security program, according to Burton Group analyst Randall Gamby.

"You get verticals of security solution sets when you really have to look at a general security policy," Gamby said. "If someone gets too focused on just PCI, other initiatives can start to slip and you may expend additional monies fulfilling one particular requirement, when there may be another requirement in another regulatory body that could be answered in the same way."

Video: David Taylor on PCI PCI group addresses assessor issues, vendor challenges David Taylor of the PCI Security Vendor Alliance, discusses the challenges PCI presents, the newly created PCI Knowledge Base and how the group can help both vendors and companies.

Organizations often spend money on tools, but lack the resources and/or the policies and processes to make effective use of them. For example, they may buy a log management tool but fail to dedicate people to monitor and respond to potential issues. Or they install a Web application firewall but fail to monitor alerts and remediate vulnerabilities. Some simply don't know where to start beyond attempting to check off the 12 PCI standards. Some companies pay big money for guidance, but most can't afford pricey consultants.

"I made a very good living being a PCI consultant for the last few years," said Taylor, "but why would a Level 3 or Level 4 pay that kind of money? They're not going to. We wanted to get together with a bunch of folks--the panel of experts, assessors, on all sides of the equation and put together information that would actually help level 3s, level 4s do this themselves."

"The good news is that we now have a forum where people can start voicing questions and opinions and start getting answers," said Burton's Gamby. "It's nice to say what the general best practice seems to be by going to this environment and seeing what most people believe. This gives you a general populous understanding around the various modules and issues around PCI."

Gamby cautions that the Knowledge Base is not yet anywhere close to that point. At this stage, he sees a collection of opinions, but not the kind of exchange he finds in good newsgroups, where people help each other solve problems. In particular, more assessor participation is essential.

"I don't see a lot of auditors, assessor type folks there," he said. "The auditors are the ones who have to get in there and put comments in so people can know what to do."

That being said, he believes the Knowledge Bases' value will grow as more people exchange information on specific issues.

"Once more people are interacting on a particular topic area, we're going to be able to say, 'this really is best practice because 75% of the people believe this is the right way of addressing that.'"

Developing that caliber of forum is a high priority, Taylor said. He wants to get everyone touched by PCI to contribute.

Tags: PCI Data Security Standard,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT PCI Data Security Standard Chip and PIN adoption Chip and PIN adoption serves lesson for U.S. payment industry Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Wireless network guidelines for PCI DSS compliance Visa probes tokens, encryption for PCI card data protection Feds push cybersecurity jobs, PCI DSS changes ahead. Voltage, RSA spar over tokenization, data protection Experts, vendors search for PCI's holy grail

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PCI DSS (Payment Card Industry Data Security Standard )  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary