COLUMN

Is all the PCI DSS compliance whining and complaining justified?

By Kevin Beaver 18 Jun 2009 | SearchCompliance.com Enterprise IT tips and expert advice Digg This!     StumbleUpon     Del.icio.us

Apparently the PCI Data Security Standard (PCI DSS) has a bunch of merchants up in arms. Several retailer groups recently sent the PCI Council a letter stating how complex PCI DSS compliance is proving to be and asking for some relief. Being a free-market capitalist who believes in less governance and more personal (and business) responsibility, I have mixed feelings about this whole situation.

More compliance resources Zero liability limits legal recourse for PCI data breach violations Why it may not be ideal for your lawyer to be your compliance officer

Looking at it from the retailers' point of view, maybe PCI DSS is a bit much. This is especially true when so many businesses (large and small) can't even focus on the information security basics that cause the most trouble. Many of the PCI DSS-covered entities don't have a big IT or security budget. The ones that do tend to have very complex systems that can't be overhauled in a pinch. The reality is that investing all the time, money and effort required to become PCI compliant isn't something to take lightly.

This PCI DSS compliance thing has never struck me as an altruistic way of tightening down the security of credit card information -- especially with regards to the qualified security assessor (QSA) and approved scanning vendor (ASV) programs. Over the years I've considered becoming a QSA and/or ASV, but the barrier to entry is just too high. It's not experience or talent that necessarily qualifies you to do PCI assessments. It's money. I recently asked a friend who works for a big business that's grossly affected by PCI DSS what value the QSAs and ASVs have added to his company's PCI compliance efforts. His response: not much. Apparently, it's a whole lot of going through the motions just for formality's sake. The Heartland Payment Systems debacle brings this to the forefront. But I digress.

Maybe the long-term compliance solution is for organizations to be held liable for any and all costs related to a data breach and hold all others harmless.

The reality is, however, none of this matters. PCI DSS compliance -- and information security in general -- are simply part of the cost of doing business in today's world. It's not easy, and it's not cheap. I understand the merchants are saying they have to bear the cost of PCI compliance, but since when were costs not passed along to the end customer anyway? I do find it odd that many of these same businesses that are strapped for cash and IT resources don't have a problem funneling good money into cutesy marketing campaigns over and over again. It just doesn't add up.

I believe that information security and privacy compliance is a bit ahead of its time and the general business mind-set has yet to catch up. Maybe the long-term compliance solution is for organizations to be held liable for any and all costs related to a data breach and hold all others harmless. If they choose to do business a certain way then they can benefit (or suffer) from their choices. It's the basis of the free market, but something like this couldn't possibly be that simple.

In the end, this kind of stuff is going to cost you and me money, so I'm all for doing it right. I just think it's interesting that these restaurants, retailers and others are having trouble with PCI DSS when the very principles it mandates have been around for years -- decades in some cases. This gets back to the old adage that people -- and business managers, specifically -- are only going to do the minimum it takes to get by, probably less. I see this mind-set and culture in the security assessment work I do and we see it on a weekly basis with all the publicized security breaches. The way our personal information is disregarded and carelessly tossed around in so many situations and all the ramifications that brings about, I suppose somebody has to set the standards and enforce the rules.

Kevin Beaver is an information security consultant and expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. With more than 20 years of experience in the industry, Beaver specializes in performing independent security assessments revolving around compliance and managing information risks. He has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). In addition, he's the creator of the Security On Wheels information security audio books and blog, providing security learning for IT professionals on the go. Beaver can be reached at kbeaver@principlelogic.com.

Tags: PCI compliance,  Industry-specific requirements for compliance,  Managing compliance teams,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT PCI compliance Defending enterprise security in the post-Google Aurora era IT compliance: FAQs about IT operations, regulations and standards Compliance news quiz: Test your knowledge of FTC, SB 20, PCI and more Priorities for your sound regulatory compliance management policy Data breach notification law SB 20 strikes right balance: Simitian D.C. CTO sees compliance, cost savings benefits to cloud computing Does using ISO 27000 to comply with PCI DSS make for better security? Security and compliance can go together, when done in the right order Nonprofits are working to maintain donor trust with PCI compliance PCI DSS compliance fails to raise the bar on financial fraud Industry-specific requirements for compliance What MOF, ISO 2700x and PCI DSS can mean for your compliance strategy The FTC offers tips on fending off P2P security risks Social networking security poses risks to online privacy: RSA panel 201 CMR 17.00 compliance: Fast Guide to the Mass. data protection law Congress hears testimony on location-based services and online privacy Risk management and agile principles in cloud computing Schmidt: Apply risk management to the nation's cybersecurity threats 'Sexting' case should prompt review of employee privacy policy Business method patents ruling could spell relief from patent trolls How Bilski v. Kappos may define the future of business method patents Managing compliance teams Applying the ISO 27005 risk management standard The top regulatory compliance trends for IT operations in 2010 Top IT compliance management news stories of 2009 Priorities for your sound regulatory compliance management policy HIPAA-covered entities' first step should be a quality assurance plan Survey shows privacy policy success lies in collaboration with IT HIPAA-covered entities, business associates confront HITECH rules Steps toward making information security as important as data security FAQ: What is the impact of e-discovery law on IT operations? A compliance officer, secure network aren't enough for real compliance

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PCI compliance  (SearchCompliance.com) XBRL  (SearchCompliance.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary