Three Big Takeaways from the PCI-SSC Meeting
At the recent PCI Community meeting held in Las Vegas, several issues were discussed that have a direct bearing on merchants and their compliance efforts. Here are some key takeaways from the PCI-SSC community meeting.
Compliance and Risk
First, the PCI Security Standards Council (SSC) signaled that its view of IT risk is maturing. PCI SSC General Manager Bob Russo made it clear in a couple of his presentations that organizations need to focus on security as opposed to just compliance.
The presentations stressed that complying with the PCI standard should be a year-round activity/program and not something just done for the audit and then dropped. Moving from compliance to security is a philosophical shift that occurs when organizations mature in how they deal with IT and business risk. Generally, the financial services organizations are out in front on this issue, and this attitudinal shift has been aided by the well-publicized breaches that have occurred at PCI-covered organizations over the past 18 months.
Risk-Based Approaches
A second, closely related topic was the notion of moving to a more risk-based approach in implementing the PCI DSS. The SSC was only lukewarm to this idea, and I agree with its hesitation. Managing a risk-based approach may be something that is incorporated over time, but it adds too much subjectivity to the current PCI program, and it makes the job of a QSA much more difficult. Interestingly, the Nuclear Regulatory Commission spent the last few years exploring a risk-based approach to security at nuclear power facilities and concluded that it was not a workable method. True, incorporating risk as a consideration is important to an organization's compliance efforts. But it needs to be done in a manner that is clear and consistent.
Tighter QA Process
That brings us to the third issue, the QA process that the SSC has been working on for assessments. There have been audit guidelines in the past, but the SSC has beefed up its efforts to establish clear baselines for QSAs to follow in doing compliance assessments. The idea is that QSAs should be checking for the same things in a consistent manner; however, it also includes heightened review and documentation requirements. This greater depth, consistency and quality of assessments should be welcome news for merchants. On the other hand, the time necessary to complete an assessment will no doubt increase with these new guidelines, which will increase the cost.
Emerging Technologies
The SSC commissioned a study of the impact of emerging technologies like tokenization and end-to-end encryption on the PCI standards, and this study was the subject of intense discussions. It was good to have these topics aired, but merchants are looking for answers now, as many of them are already implementing these technologies. While the study did a good job exploring the subject, the SSC will have to make important decisions on it quite soon.
Converging Standards
The SSC has always relied on the National Institute of Standards and Technology (NIST) in developing the PCI DSS, but this year there was much more discussion on NIST, and specifically the Federal Information Systems Management Act, or FISMA, IT standards that NIST is responsible for developing and promulgating for use by the federal government. Many attendees thought that future federal regulations would likely impact PCI. In fact, there appears to be a converging consensus on the value of the existing FISMA and NIST standards. The nuclear power industry, for instance, is strongly considering longer-term mandates that use these federal standards as their basis. I think it is very likely that many industry organizations, including the SSC, will incorporate significant portions of these federal standards. This convergence could be evident in Version 1.3 of the PCI DSS, which is estimated to be released in October 2010.
Deke George is a founder and the CEO of NetSPI, which provides risk management and security program assessments, including PCI assessments and security planning consulting for regional and national retailers. The firm is accredited by the PCI SSC as an ASV, QSA, and PA-QSA.
Compliance and Risk
First, the PCI Security Standards Council (SSC) signaled that its view of IT risk is maturing. PCI SSC General Manager Bob Russo made it clear in a couple of his presentations that organizations need to focus on security as opposed to just compliance.
The presentations stressed that complying with the PCI standard should be a year-round activity/program and not something just done for the audit and then dropped. Moving from compliance to security is a philosophical shift that occurs when organizations mature in how they deal with IT and business risk. Generally, the financial services organizations are out in front on this issue, and this attitudinal shift has been aided by the well-publicized breaches that have occurred at PCI-covered organizations over the past 18 months.
Risk-Based Approaches
A second, closely related topic was the notion of moving to a more risk-based approach in implementing the PCI DSS. The SSC was only lukewarm to this idea, and I agree with its hesitation. Managing a risk-based approach may be something that is incorporated over time, but it adds too much subjectivity to the current PCI program, and it makes the job of a QSA much more difficult. Interestingly, the Nuclear Regulatory Commission spent the last few years exploring a risk-based approach to security at nuclear power facilities and concluded that it was not a workable method. True, incorporating risk as a consideration is important to an organization's compliance efforts. But it needs to be done in a manner that is clear and consistent.
Tighter QA Process
That brings us to the third issue, the QA process that the SSC has been working on for assessments. There have been audit guidelines in the past, but the SSC has beefed up its efforts to establish clear baselines for QSAs to follow in doing compliance assessments. The idea is that QSAs should be checking for the same things in a consistent manner; however, it also includes heightened review and documentation requirements. This greater depth, consistency and quality of assessments should be welcome news for merchants. On the other hand, the time necessary to complete an assessment will no doubt increase with these new guidelines, which will increase the cost.
Emerging Technologies
The SSC commissioned a study of the impact of emerging technologies like tokenization and end-to-end encryption on the PCI standards, and this study was the subject of intense discussions. It was good to have these topics aired, but merchants are looking for answers now, as many of them are already implementing these technologies. While the study did a good job exploring the subject, the SSC will have to make important decisions on it quite soon.
Converging Standards
The SSC has always relied on the National Institute of Standards and Technology (NIST) in developing the PCI DSS, but this year there was much more discussion on NIST, and specifically the Federal Information Systems Management Act, or FISMA, IT standards that NIST is responsible for developing and promulgating for use by the federal government. Many attendees thought that future federal regulations would likely impact PCI. In fact, there appears to be a converging consensus on the value of the existing FISMA and NIST standards. The nuclear power industry, for instance, is strongly considering longer-term mandates that use these federal standards as their basis. I think it is very likely that many industry organizations, including the SSC, will incorporate significant portions of these federal standards. This convergence could be evident in Version 1.3 of the PCI DSS, which is estimated to be released in October 2010.
Deke George is a founder and the CEO of NetSPI, which provides risk management and security program assessments, including PCI assessments and security planning consulting for regional and national retailers. The firm is accredited by the PCI SSC as an ASV, QSA, and PA-QSA.