Problem solve Get help with specific problems with your technologies, process and projects.

Compliance year in review: PCI DSS progress, yet confusion abounds

For compliance specialists, 2007 has brought massive data security breaches and PCI DSS headaches. What can corporations learn from the past 12 months? In this tip, security management expert Mike Rothman looks back at of the key compliance events of 2007, and examines what security professionals can expect for 2008.

After a year when compliance was top of mind for companies everywhere, amazingly enough, compliance is poised to remain a huge discussion topic within large enterprises for the foreseeable future. Many still struggle to assess the true impact to their environment of ongoing regulatory scrutiny. Before we ring in the New Year, let's take a look back at some of the big compliance issues we saw in 2007 and how the landscape may change moving forward.

You can't mention 2007 and compliance without uttering the "P" word. Of course, I'm referring to the Payment Card Industry (PCI) Data Security Standard. This year, PCI really came into its own with the acceptance of Data Security Standard version 1.1 and the compliance deadlines for Level 1 and Level 2 merchants.

The increased awareness and understanding that PCI is important has had a dramatic and positive impact on security efforts. In stark contrast to the nebulous and mostly ineffective HIPAA and GLBA standards, the 12 requirements of PCI DSS are reasonably specific about what is acceptable from a security controls standpoint.

The reality is, these kinds of exceptions undermine the entirety of the standard and make PCI largely a joke.
Yet, there is always a downside to progress, and during the summer there were increasing rumblings that PCI was just "too hard." There were back-channel lobbying efforts to ease up some of the requirements, especially around secure application development and the protection of card holder data. Personally, I think easing up the PCI DSS standards just because "they're hard" is a terrible idea. The reality is, encrypting cardholder data at rest or providing compensating controls against a targeted database attack increases the security of the system. It's important to keep that in mind.

Of course, any discussion of 2007 is incomplete without talking about the TJX data breach. Even though the true extent of the data lost or systems compromise remains unknown, the incident caught the attention of every large company around the world. Security officers were able to use the "Let's not be TJX" rallying cry to get executives' attention and refocus resources on security and compliance efforts.

It also came to light that Visa had granted a compliance "exception" to TJX through 2008. Visa is still trying to wipe the egg off its face over that. The reality is, these kinds of exceptions undermine the entirety of the standard and make PCI largely a joke. It's interesting to see the statistics on how many Level 1 and 2 retailers are now PCI "compliant," but how many others have these exceptions?

For more information:
In this tip, Joel Dubin discusses how the TJX security breach enforced the need for the PCI DSS.

Diana Kelley reviews the key PCI DSS sub-requirements for Web applications, and explains how organizations can apply them to their security systems.

Data breaches at TJX and elsewhere have some questioning the effectiveness of PCI DSS, but others say the real problem is how companies approach the guidelines.
Other then TJX, 2007 saw a few more large-scale data breaches, which opened up companies to compliance liability and potential civil liability on behalf of the customers who lost data. Organizations like TD Ameritrade and were high-profile examples of this, both suffering application-oriented attacks that exposed customer data. Most notable from a compliance standpoint is what you haven't heard from the U.S. government about these clear compliance violations. Will the US Department of Justice or the SEC go after these companies for Sarbanes-Oxley or any other type of regulatory violation?

Given that there were no "public executions" relative to these compliance violations, there is a distinct possibility that regulated entities will decide to take their chances against the hackers, hoping their number won't come up, as opposed to spending the millions required to achieve and sustain regulatory compliance. So if the US government or credit card companies don't go after these violators, the latest batch of regulations is just another addition to a long line of toothless legislation.

There were also a huge number of lost laptops that triggered the various data breach disclosure laws around the world. It continues to perplex me that field-level employees have tens of thousands (or even more) of sensitive customer records on their laptops. This has resulted in a mass-buying wave of laptop encryption products. Since organizations evidently can't stop employees from losing laptops, at least they can render them useless (besides the gray-market value of the hardware) to the criminal.

Speaking of disclosure, we didn't see the expected U.S. breach disclosure legislation, which means companies are still governed by the dozens of different laws on the books in almost every state in the U.S. A national law may pass in 2008, which would likely include input and requirements of a more global audience. This would mean standardized terminology and consequences of data breaches; it would be a positive development.

Another new product category emerged in 2007 to help address compliance issues. These so-called GRC (governance, risk and compliance) products are glorified workflow managers basically focusing on gathering data and presenting it within an audit context. I'm not only referring to log data, but also to surveys, assessments and other unstructured data that is required to prove compliance.

On one hand, the difficulty and horsepower required to manage all the data creates a clear value proposition for GRC products. But as with every other potentially hot market, an ongoing battle exists within the vendor community to figure out exactly what GRC means. In the early going, corporate customers end up just as confused as ever about how to solve their compliance issues.

Looking ahead, it's hard to envision 2008 being that different from 2007. We'll see more data breaches, more disclosures and probably more legislation and regulation. Companies will continue to spend money to keep their auditors happy and stay one step ahead of the compliance reaper. But until we really see an organization raked over the coals because of a compliance violation, we'll continue to deal more with the specter of compliance than the reality.

About the author:
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Rothman is also's expert-in-residence on information security management. Get more information about the Pragmatic CSO at, read his blog at, or reach him via e-mail at mike.rothman (at) securityincite (dot) com.

This was last published in December 2007

Dig Deeper on PCI Data Security Standard

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.