While organizations will focus on several compliance issues in 2011, many have the Payment Card Industry Data Security (PCI DSS) 2.0 standard and governance, risk and compliance (GRC) at the top of their lists.
The shiny new PCI DSS 2.0 standard, which took effect Jan. 1, was two years in the making. While the new version fixes some of the shortcomings and better clarifies what was in version 1.2, the major new addition is virtualization compliance.
But while virtualization compliance is mentioned, there are no specific virtualization security recommendations offered. Without specific guidance about how to ensure virtualization compliance, some industry observers believe it will not be as effective as it could be.
Unfortunately, the PCI Security Standards Council will not update PCI DSS 2.0 for at least three years. Until then, organizations concerned about protecting credit card information in virtual environments will have to wait.
Even where some guidance for the new standard is offered industry observers say they see some problems with the new standard, particularly in the area of risk management.
“The biggest change is the new guidance on taking a risk-based approach to the security assessment process. It's the way it should've been all along, but more IT, security and compliance managers are realizing they need to address compliance in conjunction with information risk management,” said Kevin Beaver, an independent information security consultant and founder of Principle Logic LLC.
He added that while he thinks the council is underplaying the updates to 2.0, merchants need to pay close attention to them.
“I think they [the new updates] are a pretty big deal. They empower merchants and other covered entities to use a little more common sense. Businesses need to pay attention because, if anything, they make PCI compliance simpler,” he said.
Torsten George, vice president of worldwide marketing at Agiliance Inc. in San Jose, said PCI DSS will be a major focus for many this year, particularly those with virtualized environments. However, he added, many such shops have gone forward with virtualization products and strategies without first establishing standards or ensuring that they have the proper tools in place.
“PCI 2.0 requires testing a virtualized environment to ensure that if you put multiple accounts onto a single processor, that there is still this segregation of data and that the data is protected. With such strict requirements and a lack of tools, you will see a lot of accounts failing PCI audits,” George said.
GRC product sales will continue to rise
GRC issues will be the other area of focus for many compliance accounts. Users are expected to put their money where their mouths are, as analysts believe the robust spending that took place on GRC products in 2010 will continue in 2011.
Forrester Research Inc. analyst Chris McClean said sales of GRC tools grew 15%, from $635 million in 2009 to just less than $749 million worldwide in 2010. He added that he’s confident that momentum will continue well into the year.
"After talking with some of the larger vendors, as well as the indications we get from the buyers,  looks like it is going to be a big one for this space," said McClean, author of the Forrester report "Market Overview: GRC Platforms."
Some GRC vendors say larger compliance shops plan to buy their products in 2011 to more tightly integrate them with a range of far-flung systems containing critical historical data. Applying GRC tools can help consolidate this data, resulting in better business processes.
“In 2011, we see businesses extracting and analyzing this data gathered from various domains, company initiatives and information systems to improve the effectiveness of their business processes,” said Kevin Cheng, a spokesman for Protiviti Inc. in Menlo Park, Calif.
Still other observers see much stricter regulatory enforcement over the course of 2011, given cases such as those involving The Goldman Sachs Group Inc. and Piper Jaffray Cos., where both companies failed to retain electronic records.
“Looking ahead to 2011, organizations can expect increased regulatory enforcement from agencies like the SEC and FINRA, making it that much more important for organizations to deploy archiving solutions for all electronic communications,” said Stephen Marsh, CEO and founder of Smarsh Inc. in Portland, Ore. “Organizations need to learn from the mistakes of 2010 and proactively take the necessary steps to ensure full compliance needs are met.”
Marsh added that 2011 will see a greater use of mobile communication as more professionals turn to iPads and smartphones. In a recent survey by Ernst & Young, he noted, some 53% of respondents said that they see increased workforce mobility as a significant or considerable challenge for ensuring information security.
“In the year ahead, companies will struggle to support new mobile devices and communication methods with the need to mitigate the reputational and compliance risks associated with mobile communications,” Marsh said.
Let us know what you think about the story; email Ed Scannell, Executive Editor.