Don’t worry so much about PCI-DSS compliance!
By Pat Morin, Risk and Business Advisory Principal
PCI-DSS (the Payment Card Industry – Data Security Standard) is a significant concern for many businesses. Yet, we believe that PCI-DSS compliance should be a minor detail on the minds of those who must achieve compliance. Compliance should be a side-effect of good practices that would be in place regardless of the requirement.
PCI-DSS is based upon well-formed ideas of security that are based on mature information technology security best practices. Where compliance may be a requirement, effective security that minimizes your risks is the real goal. Many times, that message becomes lost.
Like HIPAA and SOX, PCI-DSS places substantial demands upon certain types of businesses and is similarly misunderstood by many who are struggling to implement it. Mixed messages from different sources often lead to increased costs in employee time and expenses for new but unhelpful equipment. Perhaps the most frustrating outcome we’ve seen from attempts at compliance is when an organization simultaneously spends more resources than necessary, technically meeting requirements and yet in the spirit of the matter, is worse off than when they started.
Here are two cases that we have observed:
- A local university believed their entire network, including the wireless systems that are open to students, needed to meet PCI compliance. That same university says they don’t have a merchant account; credit card processing is outsourced. Even with a merchant account, the mistake would be grave in treating the dormitory and classroom networks as part of the system that processes credit card information.
- A local programmer for a card processing company asked, “Does PCI dictate how much should be logged at an application level or simply what shouldn’t be logged?” If we simply answered, “Everything,” it’s still unlikely he would have been compliant. When looking at PCI from a high-level, the associated requirement states that they must, “Track and monitor all access to network resources and cardholder data.” The associated PCI-DSS documentation takes up four pages and discusses matters including server time synchronization, review and retention periods, and immutable audit trails.
Despite the complexity of these different types of regulations, they generally don’t have to be burdensome. Well-formed approaches to security have considered the kinds of requirements outlined in the PCI-DSS standard for more than a decade. Security practitioners and systems administrators have found vital importance in such mundane areas as effective logging and time synchronization for even longer. In fact, some strong authentication systems exist that won’t function if computer clocks disagree about what time it is.
PCI-DSS is now on its second major revision and additional regulations over information technology in the future are a certainty. Whether they will come in the form of internal industry regulation like the PCI-DSS standard, or be adopted into law, requirements will change. Those requirements, however, will be based upon good practices already performed. The codification of requirements will be caused by companies that didn’t implement those good practices on their own and suffered substantial losses for it, harming themselves and their customers.
In addition to ensuring compliance with requirements such as PCI-DSS, good security implemented as a constant model generally results in cost savings. Every year a given company grows with poor models in place, it increases the expense associated with a compromise and increases the eventual cost of properly securing its systems. Credit card data is just a part of the equation. Customer lists, financial information, medical data, product development details; each of these has a real financial impact in fines, lost business, or competitive advantage.
Organizations who are faced with PCI-DSS or other regulations that are based in security best practices should seek the advice of security professionals who can help them:
- Leverage from their experience and expertise. Much as staff must understand their legal obligations, a firm of sufficient size should have a lawyer available by contract or employment. The same applies to modern data security.
- Assess areas of risk. A growing number of businesses have financial risks related to customer data without realizing it, especially as states enact laws regarding disclose of data breaches. Evaluate what your employees believe your priorities to be. If security is not a visible part of the environment, staff will not consider security implications.
- Target best practices rather than specific requirements. Requirements should be considered a test of good practices, not the goal.