Apparently the PCI Data Security Standard (PCI DSS) has a bunch of merchants up in arms. Several retailer groups recently sent the PCI Council a letter
Looking at it from the retailers' point of view, maybe PCI DSS is a bit much. This is especially true when so many businesses (large and small) can't even focus on the information security basics that cause the most trouble. Many of the PCI DSS-covered entities don't have a big IT or security budget. The ones that do tend to have very complex systems that can't be overhauled in a pinch. The reality is that investing all the time, money and effort required to become PCI compliant isn't something to take lightly.
This PCI DSS compliance thing has never struck me as an altruistic way of tightening down the security of credit card information -- especially with regards to the qualified security assessor (QSA) and approved scanning vendor (ASV) programs. Over the years I've considered becoming a QSA and/or ASV, but the barrier to entry is just too high. It's not experience or talent that necessarily qualifies you to do PCI assessments. It's money. I recently asked a friend who works for a big business that's grossly affected by PCI DSS what value the QSAs and ASVs have added to his company's PCI compliance efforts. His response: not much. Apparently, it's a whole lot of going through the motions just for formality's sake. The Heartland Payment Systems debacle brings this to the forefront. But I digress.
Maybe the long-term compliance solution is for organizations to be held liable for any and all costs related to a data breach and hold all others harmless.
The reality is, however, none of this matters. PCI DSS compliance -- and information security in general -- are simply part of the cost of doing business in today's world. It's not easy, and it's not cheap. I understand the merchants are saying they have to bear the cost of PCI compliance, but since when were costs not passed along to the end customer anyway? I do find it odd that many of these same businesses that are strapped for cash and IT resources don't have a problem funneling good money into cutesy marketing campaigns over and over again. It just doesn't add up.
I believe that information security and privacy compliance is a bit ahead of its time and the general business mind-set has yet to catch up. Maybe the long-term compliance solution is for organizations to be held liable for any and all costs related to a data breach and hold all others harmless. If they choose to do business a certain way then they can benefit (or suffer) from their choices. It's the basis of the free market, but something like this couldn't possibly be that simple.
In the end, this kind of stuff is going to cost you and me money, so I'm all for doing it right. I just think it's interesting that these restaurants, retailers and others are having trouble with PCI DSS when the very principles it mandates have been around for years -- decades in some cases. This gets back to the old adage that people -- and business managers, specifically -- are only going to do the minimum it takes to get by, probably less. I see this mind-set and culture in the security assessment work I do and we see it on a weekly basis with all the publicized security breaches. The way our personal information is disregarded and carelessly tossed around in so many situations and all the ramifications that brings about, I suppose somebody has to set the standards and enforce the rules.
Kevin Beaver is an information security consultant and expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. With more than 20 years of experience in the industry, Beaver specializes in performing independent security assessments revolving around compliance and managing information risks. He has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). In addition, he's the creator of the Security On Wheels information security audio books and blog, providing security learning for IT professionals on the go. Beaver can be reached at firstname.lastname@example.org.