Compliance year in review: PCI DSS progress, yet confusion abounds

After a year when compliance was top of mind for companies everywhere, amazingly enough, compliance is poised to remain a huge discussion topic within large enterprises for the foreseeable future. Many still struggle to assess the true impact to their environment of ongoing regulatory scrutiny. Before we ring in the New Year, let's take a look back at some of the big compliance issues we saw in 2007 and how the landscape may change moving forward.

You can't mention 2007 and compliance without uttering the "P" word. Of course, I'm referring to the Payment Card Industry (PCI) Data Security Standard. This year, PCI really came into its own with the acceptance of Data Security Standard version 1.1 and the compliance deadlines for Level 1 and Level 2 merchants.

The increased awareness and understanding that PCI is important has had a dramatic and positive impact on security efforts. In stark contrast to the nebulous and mostly ineffective HIPAA and GLBA standards, the 12 requirements of PCI DSS are reasonably specific about what is acceptable from a security controls standpoint.

The reality is, these kinds of exceptions undermine the entirety of the standard and make PCI largely a joke.

Yet, there is always a downside to progress, and during the summer there were increasing rumblings that PCI was just "too hard." There were back-channel lobbying efforts to ease up some of the requirements, especially around secure application development and the protection of card holder data. Personally, I think easing up the PCI DSS standards just because "they're hard" is a terrible idea. The reality is, encrypting cardholder data at rest or providing compensating controls against a targeted database attack increases the security of the system. It's important to keep that in mind.

Of course, any discussion of 2007 is incomplete without talking about the TJX data breach. Even though the true extent of the data lost or systems compromise remains unknown, the incident caught the attention of every large company around the world. Security officers were able to use the "Let's not be TJX" rallying cry to get executives' attention and refocus resources on security and compliance efforts.

It also came to light that Visa had granted a compliance "exception" to TJX through 2008. Visa is still trying to wipe the egg off its face over that. The reality is, these kinds of exceptions undermine the entirety of the standard and make PCI largely a joke. It's interesting to see the statistics on how many Level 1 and 2 retailers are now PCI "compliant," but how many others have these exceptions?

For more information: In this tip, Joel Dubin discusses how the TJX security breach enforced the need for the PCI DSS. Diana Kelley reviews the key PCI DSS sub-requirements for Web applications, and explains how organizations can apply them to their security systems. Data breaches at TJX and elsewhere have some questioning the effectiveness of PCI DSS, but others say the real problem is how companies approach the guidelines.

Other then TJX, 2007 saw a few more large-scale data breaches, which opened up companies to compliance liability and potential civil liability on behalf of the customers who lost data. Organizations like TD Ameritrade and Monster.com were high-profile examples of this, both suffering application-oriented attacks that exposed customer data. Most notable from a compliance standpoint is what you haven't heard from the U.S. government about these clear compliance violations. Will the US Department of Justice or the SEC go after these companies for Sarbanes-Oxley or any other type of regulatory violation?

Given that there were no "public executions" relative to these compliance violations, there is a distinct possibility that regulated entities will decide to take their chances against the hackers, hoping their number won't come up, as opposed to spending the millions required to achieve and sustain regulatory compliance. So if the US government or credit card companies don't go after these violators, the latest batch of regulations is just another addition to a long line of toothless legislation.

There were also a huge number of lost laptops that triggered the various data breach disclosure laws around the world. It continues to perplex me that field-level employees have tens of thousands (or even more) of sensitive customer records on their laptops. This has resulted in a mass-buying wave of laptop encryption products. Since organizations evidently can't stop employees from losing laptops, at least they can render them useless (besides the gray-market value of the hardware) to the criminal.

Speaking of disclosure, we didn't see the expected U.S. breach disclosure legislation, which means companies are still governed by the dozens of different laws on the books in almost every state in the U.S. A national law may pass in 2008, which would likely include input and requirements of a more global audience. This would mean standardized terminology and consequences of data breaches; it would be a positive development.

Another new product category emerged in 2007 to help address compliance issues. These so-called GRC (governance, risk and compliance) products are glorified workflow managers basically focusing on gathering data and presenting it within an audit context. I'm not only referring to log data, but also to surveys, assessments and other unstructured data that is required to prove compliance.

On one hand, the difficulty and horsepower required to manage all the data creates a clear value proposition for GRC products. But as with every other potentially hot market, an ongoing battle exists within the vendor community to figure out exactly what GRC means. In the early going, corporate customers end up just as confused as ever about how to solve their compliance issues.

Looking ahead, it's hard to envision 2008 being that different from 2007. We'll see more data breaches, more disclosures and probably more legislation and regulation. Companies will continue to spend money to keep their auditors happy and stay one step ahead of the compliance reaper. But until we really see an organization raked over the coals because of a compliance violation, we'll continue to deal more with the specter of compliance than the reality.

About the author:
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Rothman is also SearchSecurity.com's expert-in-residence on information security management. Get more information about the Pragmatic CSO at http://www.pragmaticcso.com, read his blog at http://blog.securityincite.com, or reach him via e-mail at mike.rothman (at) securityincite (dot) com.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Compliance Counselor Penetration testing: Helping your compliance efforts Worst practices: Recognizing the biggest compliance mistakes E-discovery management: How IT should interact with the legal team E-discovery management: How IT should interact with the legal team Incident response success in five quick steps The forensics mindset: Making life easier for investigators How to apply ISO 27002 to PCI DSS compliance A new twist on PCI DSS: Visa's Payment Application Best Practices Security management in 2008: What's in store Why you shouldn't wager the house on risk management models PCI Data Security Standard PCI compliance and Web applications: Code review or firewalls? How to test the security of personal details submitted to a website Verizon issues PCI self-assessment, support docs PCI group addresses assessor issues, vendor challenges Credit card thieves target small merchants, flawed POS systems, study finds PCI forces companies to seek log management help PCI Council issues clarification on Web application security The road to compliance Poll: PCI DSS changes RSA attendees see data classification, rights management projects stumble RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PCI DSS (Payment Card Industry Data Security Standard )  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.