Compliance year in review: PCI DSS progress, yet confusion abounds

After a year when compliance was top of mind for companies everywhere, amazingly enough, compliance is poised to remain a huge discussion topic within large enterprises for the foreseeable future. Many still struggle to assess the true impact to their environment of ongoing regulatory scrutiny. Before we ring in the New Year, let's take a look back at some of the big compliance issues we saw in 2007 and how the landscape may change moving forward.

You can't mention 2007 and compliance without uttering the "P" word. Of course, I'm referring to the Payment Card Industry (PCI) Data Security Standard. This year, PCI really came into its own with the acceptance of Data Security Standard version 1.1 and the compliance deadlines for Level 1 and Level 2 merchants.

The increased awareness and understanding that PCI is important has had a dramatic and positive impact on security efforts. In stark contrast to the nebulous and mostly ineffective HIPAA and GLBA standards, the 12 requirements of PCI DSS are reasonably specific about what is acceptable from a security controls standpoint.

The reality is, these kinds of exceptions undermine the entirety of the standard and make PCI largely a joke.

Yet, there is always a downside to progress, and during the summer there were increasing rumblings that PCI was just "too hard." There were back-channel lobbying efforts to ease up some of the requirements, especially around secure application development and the protection of card holder data. Personally, I think easing up the PCI DSS standards just because "they're hard" is a terrible idea. The reality is, encrypting cardholder data at rest or providing compensating controls against a targeted database attack increases the security of the system. It's important to keep that in mind.

Of course, any discussion of 2007 is incomplete without talking about the TJX data breach. Even though the true extent of the data lost or systems compromise remains unknown, the incident caught the attention of every large company around the world. Security officers were able to use the "Let's not be TJX" rallying cry to get executives' attention and refocus resources on security and compliance efforts.

It also came to light that Visa had granted a compliance "exception" to TJX through 2008. Visa is still trying to wipe the egg off its face over that. The reality is, these kinds of exceptions undermine the entirety of the standard and make PCI largely a joke. It's interesting to see the statistics on how many Level 1 and 2 retailers are now PCI "compliant," but how many others have these exceptions?

For more information: In this tip, Joel Dubin discusses how the TJX security breach enforced the need for the PCI DSS. Diana Kelley reviews the key PCI DSS sub-requirements for Web applications, and explains how organizations can apply them to their security systems. Data breaches at TJX and elsewhere have some questioning the effectiveness of PCI DSS, but others say the real problem is how companies approach the guidelines.

Other then TJX, 2007 saw a few more large-scale data breaches, which opened up companies to compliance liability and potential civil liability on behalf of the customers who lost data. Organizations like TD Ameritrade and Monster.com were high-profile examples of this, both suffering application-oriented attacks that exposed customer data. Most notable from a compliance standpoint is what you haven't heard from the U.S. government about these clear compliance violations. Will the US Department of Justice or the SEC go after these companies for Sarbanes-Oxley or any other type of regulatory violation?

Given that there were no "public executions" relative to these compliance violations, there is a distinct possibility that regulated entities will decide to take their chances against the hackers, hoping their number won't come up, as opposed to spending the millions required to achieve and sustain regulatory compliance. So if the US government or credit card companies don't go after these violators, the latest batch of regulations is just another addition to a long line of toothless legislation.

There were also a huge number of lost laptops that triggered the various data breach disclosure laws around the world. It continues to perplex me that field-level employees have tens of thousands (or even more) of sensitive customer records on their laptops. This has resulted in a mass-buying wave of laptop encryption products. Since organizations evidently can't stop employees from losing laptops, at least they can render them useless (besides the gray-market value of the hardware) to the criminal.

Speaking of disclosure, we didn't see the expected U.S. breach disclosure legislation, which means companies are still governed by the dozens of different laws on the books in almost every state in the U.S. A national law may pass in 2008, which would likely include input and requirements of a more global audience. This would mean standardized terminology and consequences of data breaches; it would be a positive development.

Another new product category emerged in 2007 to help address compliance issues. These so-called GRC (governance, risk and compliance) products are glorified workflow managers basically focusing on gathering data and presenting it within an audit context. I'm not only referring to log data, but also to surveys, assessments and other unstructured data that is required to prove compliance.

On one hand, the difficulty and horsepower required to manage all the data creates a clear value proposition for GRC products. But as with every other potentially hot market, an ongoing battle exists within the vendor community to figure out exactly what GRC means. In the early going, corporate customers end up just as confused as ever about how to solve their compliance issues.

Looking ahead, it's hard to envision 2008 being that different from 2007. We'll see more data breaches, more disclosures and probably more legislation and regulation. Companies will continue to spend money to keep their auditors happy and stay one step ahead of the compliance reaper. But until we really see an organization raked over the coals because of a compliance violation, we'll continue to deal more with the specter of compliance than the reality.

About the author:
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Rothman is also SearchSecurity.com's expert-in-residence on information security management. Get more information about the Pragmatic CSO at http://www.pragmaticcso.com, read his blog at http://blog.securityincite.com, or reach him via e-mail at mike.rothman (at) securityincite (dot) com.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Compliance Counselor,   Security Audit, Compliance and Standards,   PCI Data Security Standard,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Compliance Counselor FTC Red Flags Rules: How to create an identity theft prevention plan Creating a HIPAA employee training program Data protection tips for corporate compliance leaders PCI DSS compliance requirements: Ensuring data integrity Understanding PCI DSS compliance requirements for log management Are 'strong authentication' methods strong enough for compliance? Strategies for using technology to enable automated compliance Common PCI questions: Web application firewalls or source code review? PCI management: The case for Web application firewalls The basics of enterprise GRC project management PCI Data Security Standard Chip and PIN adoption Chip and PIN adoption serves lesson for U.S. payment industry Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Wireless network guidelines for PCI DSS compliance Visa probes tokens, encryption for PCI card data protection Feds push cybersecurity jobs, PCI DSS changes ahead. Voltage, RSA spar over tokenization, data protection Experts, vendors search for PCI's holy grail RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PCI DSS (Payment Card Industry Data Security Standard )  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.