COLUMN

Is all the PCI DSS compliance whining and complaining justified?

By Kevin Beaver 18 Jun 2009 | SearchCompliance.com Enterprise IT tips and expert advice Digg This!     StumbleUpon     Del.icio.us

Apparently the PCI Data Security Standard (PCI DSS) has a bunch of merchants up in arms. Several retailer groups recently sent the PCI Council a letter stating how complex PCI DSS compliance is proving to be and asking for some relief. Being a free-market capitalist who believes in less governance and more personal (and business) responsibility, I have mixed feelings about this whole situation.

More compliance resources Zero liability limits legal recourse for PCI data breach violations Why it may not be ideal for your lawyer to be your compliance officer

Looking at it from the retailers' point of view, maybe PCI DSS is a bit much. This is especially true when so many businesses (large and small) can't even focus on the information security basics that cause the most trouble. Many of the PCI DSS-covered entities don't have a big IT or security budget. The ones that do tend to have very complex systems that can't be overhauled in a pinch. The reality is that investing all the time, money and effort required to become PCI compliant isn't something to take lightly.

This PCI DSS compliance thing has never struck me as an altruistic way of tightening down the security of credit card information -- especially with regards to the qualified security assessor (QSA) and approved scanning vendor (ASV) programs. Over the years I've considered becoming a QSA and/or ASV, but the barrier to entry is just too high. It's not experience or talent that necessarily qualifies you to do PCI assessments. It's money. I recently asked a friend who works for a big business that's grossly affected by PCI DSS what value the QSAs and ASVs have added to his company's PCI compliance efforts. His response: not much. Apparently, it's a whole lot of going through the motions just for formality's sake. The Heartland Payment Systems debacle brings this to the forefront. But I digress.

Maybe the long-term compliance solution is for organizations to be held liable for any and all costs related to a data breach and hold all others harmless.

The reality is, however, none of this matters. PCI DSS compliance -- and information security in general -- are simply part of the cost of doing business in today's world. It's not easy, and it's not cheap. I understand the merchants are saying they have to bear the cost of PCI compliance, but since when were costs not passed along to the end customer anyway? I do find it odd that many of these same businesses that are strapped for cash and IT resources don't have a problem funneling good money into cutesy marketing campaigns over and over again. It just doesn't add up.

I believe that information security and privacy compliance is a bit ahead of its time and the general business mind-set has yet to catch up. Maybe the long-term compliance solution is for organizations to be held liable for any and all costs related to a data breach and hold all others harmless. If they choose to do business a certain way then they can benefit (or suffer) from their choices. It's the basis of the free market, but something like this couldn't possibly be that simple.

In the end, this kind of stuff is going to cost you and me money, so I'm all for doing it right. I just think it's interesting that these restaurants, retailers and others are having trouble with PCI DSS when the very principles it mandates have been around for years -- decades in some cases. This gets back to the old adage that people -- and business managers, specifically -- are only going to do the minimum it takes to get by, probably less. I see this mind-set and culture in the security assessment work I do and we see it on a weekly basis with all the publicized security breaches. The way our personal information is disregarded and carelessly tossed around in so many situations and all the ramifications that brings about, I suppose somebody has to set the standards and enforce the rules.

Kevin Beaver is an information security consultant and expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. With more than 20 years of experience in the industry, Beaver specializes in performing independent security assessments revolving around compliance and managing information risks. He has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). In addition, he's the creator of the Security On Wheels information security audio books and blog, providing security learning for IT professionals on the go. Beaver can be reached at kbeaver@principlelogic.com.

Tags: PCI compliance,  Industry-specific requirements for compliance,  Managing compliance teams,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT PCI compliance Compliance news quiz: Test your knowledge of FTC, SB 20, PCI and more Priorities for your sound regulatory compliance management policy Data breach notification law SB 20 strikes right balance: Simitian D.C. CTO sees compliance, cost savings benefits to cloud computing Does using ISO 27000 to comply with PCI DSS make for better security? Security and compliance can go together, when done in the right order Nonprofits are working to maintain donor trust with PCI compliance PCI DSS compliance fails to raise the bar on financial fraud PCI DSS compliance requires better management of vendor risk PCI DSS compliance requires new vendor management strategy Industry-specific requirements for compliance Google adds Dashboard: Does transparency mean more online privacy? Compliance news quiz: Test your knowledge of FTC, SB 20, PCI and more NERC CSO warns of cybersecurity threats, risk to electric grid FTC compliance mandates new rules for social media marketing How to design an FTC compliance program for social media marketing McCain answers new FCC net neutrality rules with Internet Freedom Act SAP sees green in sustainability software for carbon compliance Electronic privacy integral to identity management standards, says DHS GPS devices, geolocation data create privacy, security risks Threat management for information systems relies on categorization Managing compliance teams Priorities for your sound regulatory compliance management policy HIPAA-covered entities' first step should be a quality assurance plan Survey shows privacy policy success lies in collaboration with IT HIPAA-covered entities, business associates confront HITECH rules Steps toward making information security as important as data security FAQ: What is the impact of e-discovery law on IT operations? A compliance officer, secure network aren't enough for real compliance Chapter excerpt: Decision-making processes and IT governance Anatomy of a hyperproductive compliance management team Chapter excerpt: The Three Core Disciplines of IT Risk Management

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PCI compliance  (SearchCompliance.com) XBRL  (SearchCompliance.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary