News Stay informed about the latest enterprise technology news and product updates.

Should PCI DSS rules be relaxed? Readers respond

Last month, First Data CISO Phil Mellinger suggested that the PCI DSS rules should be relaxed and then gradually increased to give companies a chance to comply. He suggested some changes at a PCI DSS conference in New York City and is also calling for a PCI DSS compliance directory, listing compliant merchants as a reward for meeting the standards. Security pros are responding both opposing and agreeing with Mellinger’s comments. Some believe merchants should be well on their way to securing credit card data, while others say the issue is a bit more complicated. Below are some comments received recently by

I agree that Phil Mellinger’s suggestion for a simpler standard that rises over time would have been a good idea. Given where we are today, though, this would be a step backwards. Over the last four years, numerous merchants and service providers have told me that they are reluctant to do anything until the very last minute because the card brands have a way of changing their standards, invalidating compliance investments.

Lowering the bar now would just confirm this suspicion and cause an erosion of credibility. The 35% of Level 1 merchants who are currently compliant would feel like they had wasted money and would be understandably bitter.

Also, from a risk management perspective, the standard is appropriate where it is. We can quibble over some of the details, but it is hard to argue that overall the standard is overkill given the risks the payments industry faces. In my opinion, what is needed is better guidance and interpretation of the standard. There are too cases where overly literal interpretations lead to unnecessary expenditures.

– Chris Noell, Executive Analyst CISSP, QDSP

I think that First Data CISO Phil Mellinger is missing the boat on PCI. Obviously, there is an issue with merchant compliance. This is compounded by the fact that generally it takes anywhere from 18-24 months to actually meet the requirements of the “dirty dozen.” Relaxing PCI-DSS will not any effect other than increase the likelihood of more data breaches. It certainly won’t mean that more merchants will become compliant. What needs to be adjusted is the timeline, not the requirements. I don’t think anyone in their right mind would or should argue that implementing such basic tenants of security is a bad thing. That is really what PCI is about. Basic security best practices. The problem with trying to meet the 9/30 or 12/31 deadline (depending upon your merchant level) revolves around the cost of meeting the requirements. This will result in spending money on consultants and contractors and perhaps ultimately result in poor implementation. Poor implementation is not something that you want regarding security. I continue to hear “interpretation” used both internally and externally as they relate to the requirements. Believe it or not, I’ve actually heard different interpretations of the word “generic” as it relates to user accounts. I think to avoid this, the PCI Security Council needs to step up and provide guidance.
-Rick Hayes

The issue is not just about the PCI DSS … Many companies are treating each compliance issue as a separate project while in reality, the underlying responsibility, internal controls, and testing of those controls, may significantly overlap. By addressing all compliance issues in a holistic approach, redundant effort is reduced, business goals are met, compliance costs are lowered, and more efficient use of internal resources are made.

There are a couple of reasons why companies do not want to be compliant. The biggest issue is the disconnect between senior management and the IT technical staff. Just like in the banking industry, until the Board of Directors or the most Senior Management was held accountable for the security of the data. Recent settlements the Federal Trade Commission (FTC) made with Choice Point and Cardsystems, has shown that unfair business practices can be determined by lack of compliance to issues that face the companies. As more and more fines are levied towards senior management, or companies that have been breeched go bankrupt, senior management are looking at non-compliance has a higher risk than before. Until such time that non-compliance risk is pushed to the high or critical level, they will balk at the cost of compliance. My estimate is that TJX, may not survive the next two years. This may be the wakeup call that is needed.

– James Ritchie, CISA, QSA, MCSE, MCP+I, M-CIW-D, CIW-CI, Inet+, Network+, A+

I could not agree more with Mr. Mellinger’s idea of “gradual compliance.” Working at a small-to-medium sized business currently, it is very easy to see how the DSS is not only harming organizations in this class, but nearly putting them out of business. Neither the time, personnel, or money exists to meet all of the requirements within the DSS in [small and midsized businesses], so most either choose to ignore it or spend what translates into tens of thousands of dollars trying to become compliant. While the overall intention of the DSS is good, the Payment Card association should examine alternative methods for implementation based on the size and revenue of a business.

While the DSS requirements are rigid, they address a “minimum” level of controls an organization should have in place to not only protect itself, but the cardholder data is possesses. Quite honestly, had the PCI DSS initiative never been implemented, I would expect to see 90% of the DSS requirements in place at an organization before I would want to do business with them. This is simply a matter of checks and balances, and protecting your information assets shows good business practice. It shows that an organization has a sense of self-preservation.

Not one to encourage big government, but I would encourage government intervention at some level with the PCI DSS. As it stands, the PCA is making money hand over fist through the application and acceptance of the PCI DSS. Not only are merchants and service providers paying the PCA fees, but Qualified Security Assessor’s and Approved Scanning Vendors are as well. Also, in order to become registered with the PCA, an organization must pay a nominal fee of $5000. Ensuring PCI compliance is expensive enough outside of the costs incurred for these fees, and I believe the government should intervene at some level and curb the extracurricular costs. The PCA organizations are making money as it stands, so why nickel and dime to organizations sending business their way?

– Alex Pezold, Information Security Officer, ChoicePay Inc.

PCI forces many of the things we have been saying we “should do” for quite some time. As someone who has to both provide security direction and who has to assist in IT audits, I can tell you organizations need this kind of push. In many cases PCI (or other compliance) is the only thing that has forced organizations to step up and dedicate the resources to security. The real problem is organizations are so behind they view this has an overwhelming set of expectations, when in reality the expectation was they would already be doing most of these out of “common sense” or at least out of “due diligence.”

There are weaknesses in PCI as it is open to wide interpretations like all other law, guidance and requirements we have to regularly deal with. The real issue is if you look at GLBA, HIPAA or SOX all are loosely stated high level objectives. PCI has some firm defined requirements without wiggle room or excuses, that is what the fuss is all about. There is a higher level of accountability and therefore risk. It might however be an easier pill to swallow if there were phases of implementation that guided companies as far as where to start and what was most important. Then as long as merchants followed reasonable progress toward complete compliance they would be considered compliant.

– Chad Lorenc, CISSP, GCIH, NSA-IAM/IEM, Information Security Officer

Technorati Tags: , , ,

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

I'm reading the responses and I wonder if people have actually read the checklist. First of all it shows its age (the long winded explanation on what a firewall is, and the requirement for stateful inspection) and its vague (banning INTERNAL network addresses from coming from the INTERNET to the DMZ ?? I need some explanation on that, because it's not clear how a service in the DMZ can have a session where the src IP is NAT'd and its coming from the public Internet...unless the company has a private VPN in which case I'm not sure what the vulnerability is exactly...) Anyhow: IMHO - you cannot get merchants to comply without showing how PCI DSS can give business value by effectively reducing risk. Any bank or card processor knows that processing cards is ongoing exercise in risk management - yet Visa and MC have ignored their own core business and turned information security into a checklist compliance thing. PCI DSS is about mitigating the risk of unauthorized disclosure of credit card numbers (on the assumption that once disclosed they can be used for fraudulent transactions) and PII (on the assumption that with a name, SSN and DOB a bad buy can steal an identity). The problem is that the PCI DSS is an all or nothing list of controls: A merchant has no way of calculating his risk profile in PCI. He has no tool for knowing if implementing the controls will reduce the damage to his assets (business reputation, customer list, charge backs from the bank if he leaks data etc) because: a) the standard has no notion of assets b) the standard has no notion of threats c) the standard has only an implied notion of vulnerabilities d) the standard has no agreed upon standard to calculate the risk exposure of a merchant or processor in terms of assets, threats and vulnerabilities. My 2c Danny