Home > Security News > Bloggers not for easing PCI DSS
Security News:
EMAIL THIS
COLUMN

Bloggers not for easing PCI DSS

By Bill Brenner
11 May 2007 | SearchSecurity.com


Security Wire Daily News
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google

It was hard to brush aside comments made by First Data CISO Phil Mellinger, who suggested at a recent forum that the Payment Card Industry's Data Security Standard (PCI DSS) should be overhauled to eliminate subjectivity, ease restrictions and help more merchants comply. After all, Mellinger did develop the precursor to the current standard.

But this week I haven't found many people who agree with him. During a panel discussion on identity fraud in New York Tuesday, I asked a couple financial practitioners if the rules should be eased to help more merchants comply. Kevin Dougherty, senior vice president of information services at Orlando, Fla.-based CFE Federal Credit Union, summed up the consensus in the room when he said, "It's our responsibility to meet the bar that's been set."

Many industry professionals seem to share that attitude, if a recent scan of the blogosphere is any measure.

Let's start with SearchSecurity.com's own Security Bytes blog, where we ran some comments from those who have followed our coverage of Mellinger's talk.

Chris Noell, an executive analyst, CISSP and QDSP, wrote that Mellinger's suggestion for a simpler standard that rises over time would have been a good idea at one point, but that given where we are today, it would be a step backwards.

"Over the last four years, numerous merchants and service providers have told me that they are reluctant to do anything until the very last minute because the card brands have a way of changing their standards, invalidating compliance investments," he wrote. "Lowering the bar now would just confirm this suspicion and cause an erosion of credibility. The 35% of Level 1 merchants who are currently compliant would feel like they had wasted money and would be understandably bitter."
About Security Blog Log:
Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

Recent columns:

Are hacking contests good or evil?

Mac hack puts Apple faithful on the defense

Despite new Windows flaws, ANI still preoccupies

Rick Hayes wrote that Mellinger is missing the boat on PCI. "Obviously, there is an issue with merchant compliance," he wrote. "This is compounded by the fact that generally it takes anywhere from 18-24 months to actually meet the requirements of the 'dirty dozen.'"

But, he added, relaxing PCI DSS will not have any effect other than to increase the likelihood of more data breaches. "It certainly won't mean that more merchants will become compliant," he said. "What needs to be adjusted is the timeline, not the requirements. I don't think anyone in their right mind would or should argue that implementing such basic tenants of security is a bad thing. That is really what PCI is about -- basic security best practices."

The Ambersail infosec blog offered a similar perspective. It expressed sympathy for organizations the size of First Data and said compliance must be tough for them. But lowering the compliance requirements isn't the answer. In the end, the blog said, PCI DSS compliance demands the types of security procedures companies should already be taking.

"Compliance is tough for everyone, big and small," the blog said. "And what we had before was, well, nothing really. Chaos."

Moin Moinuddin, a self-described industry architect with Microsoft Corp., wrote in his ARC Thoughts blog that PCI DSS compliance is good for a company's security and cost controls.

"For example," he wrote, "a retailer who had never really done an internal assessment before now did this and [it] resulted in [the] consolidation of servers in the stores using [a] virtual server product. So this helps in reducing overall cost of maintenance in addition to improving security."

The bottom line is that nobody is accusing Mellinger of giving up on PCI DSS or security. Many people agree the standard could use some changes. But they also believe companies are having trouble with PCI DSS because their security programs were lacking to begin with.

The last thing companies like that need is an easier ride to compliance.

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google



RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary



More Tips to Secure Your Network
TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts