Nine years ago, the major payment card brands came together and quietly released the first version of the Payment...
Card Industry Data Security Standard (PCI DSS), consolidating the confusing set of overlapping requirements previously promulgated by the card brands.
It is indisputable that many organizations only considered payment card security for the first time when faced with this compliance mandate.
Almost a decade later, the industry now awaits the third major PCI DSS release as the council prepares to issue PCI DSS 3.0. Now is an excellent opportunity for the industry to reflect upon the standard's successes and failures, and that's what we'll do here in this PCI DSS review.
Compliance vs. security: Where are we?
Of course, the goal of the PCI DSS is to improve the security of payment card information and reduce the cost of fraud to the sponsoring institutions. It's no secret, however, that the goal of most organizations subject to PCI DSS is simply to pass their assessments and be able to certify compliance for another year. This is an age-old discussion in the world of compliance: How much of what we do actually improves security, and how much is simply bureaucratic overhead?
There's no doubt that PCI DSS, as with any regulatory obligation, requires us to perform some tasks that don't contribute to the security of our information. For example, none of us want to spend time filling out self-assessment questionnaires or documenting the results of an account review. However, the vast majority of PCI DSS requirements do have a legitimate basis in information security dogma, and while some wish the standard raised the bar higher, most security professionals freely admit that the requirements indeed reflect industry standard best practices.
Has the state of security improved since the release of PCI DSS? I contend that, indeed, it has. While organizations that have always had strong security programs may have only seen marginal improvements in their security, it is indisputable that many organizations only considered payment card security for the first time when faced with this compliance mandate. The cause of most payment card breaches can be traced back to basic security controls that were lacking, and the PCI DSS has helped build awareness around the need for fundamental information security practices.
Consistency of assessments
One of the early complaints among merchants and service providers regulated by PCI DSS was that the standard contained a number of vague requirements that were inconsistently enforced by the Qualified Security Assessors (QSAs) certified by the PCI Security Standards Council to conduct PCI DSS validation assessments. This led to confusion within the regulated industry and some degree of "shopping around" for a QSA that would provide organizations with the results that it wanted to hear.
Thankfully, this situation has improved. The PCI SSC heard this feedback and put a tremendous amount of effort into building a community of QSAs who consistently interpret the standards. To achieve this task, the council moved from a standard document that simply listed requirements to one that incorporates the precise audit procedures that QSAs are to follow when validating compliance. For example, requirement 9.1.1 involving the use of video cameras and access control mechanisms now has three specific procedures:
9.1.1 a "Verify that video cameras and/or access control mechanisms are in place to monitor the entry/exit points to sensitive areas."
9.1.1 b "Verify that video cameras and/or access control mechanisms are protected from tampering or disabling."
9.1.1 c "Verify that video cameras and/or access control mechanisms are monitored and that data from cameras or other mechanisms is stored for at least three months."
With this new degree of precision, merchants and service providers now go into assessments with a reasonable understanding of the procedures that QSAs will perform when conducting assessments.
Preparing for PCI DSS 3.0
As we approach the third release of PCI DSS, many organizations now have a degree of confidence borne from experience that simply was not there in the past. While compliance managers should certainly review the PCI DSS Version 3.0 Change Highlights issued by the SSC, there is plenty of time to prepare before the standard goes into effect in January 2014. Take the time provided to you during this grace period to review the new standard and implement any changes that might be necessary in your cardholder environment to remain compliant in the coming year.
The bottom line? In my opinion, the PCI DSS compliance field has matured significantly over the past decade and evolved from a confusing, feared set of technical requirements to a well-understood standard that is now often used as the "gold standard" of security even in unregulated fields.
About the author:
Mike Chapple, Ph. D., CISA, CISSP, is an IT security manager with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Chapple is a frequent contributor to SearchSecurity.com and serves as its resident expert on enterprise compliance, frameworks and standards for its Ask the Experts panel. He previously served as site expert on network security, is a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.