PCI Compliance? Easy if you know how!
December 11th, 2006 Drazen Drazic Posted in PCI, PCI DSS |
I’ve heard a couple of times in recent weeks, figures bandied about, supposedly from the Acquiring Banks talking about the levels of PCI compliance. (I say supposedly because I don’t want to assert something that may not be right, but the sources aren’t too bad!)
Figures as high as 90% of self-assessments (as defined for Tier 2 and below) are coming back (supposedly), 100% ticked off. …… Now I ask; 90% all compliant or 90% not all compliant yet? Did I hear right? Sure did.
Now these figures fly in the face of what we’re seeing out there, so the question needs to be asked - are we only seeing clients that by chance fall into that 10% and not any of the other 90% or does something sound wrong here?
The PCI DSS is not overly complex but it is certainly full of grey areas in terms of depth of compliance and most importantly, what’s in and what’s out of scope. Moreover, it is setting minimum security requirements and controls far ahead of almost anything else that has been thrown at the private sector.
Every client we’ve had that has seriously looked at their levels of compliance vs the PCI DSS standard has had to, to some degree make plans for some changes to their environment - most acknowledging that compliance will be a longer term project for them - resourcing and financial burden needing to be phased.
So what’s the other 90% doing? Keen to share that secret guys? It will be interesting to see what an audit would turn up in the event of an incident…..but then again, will it matter that much if Company X is only a Tier 3? Seriously though, some questions need to be asked if that figure of 90% is accurate.
DD
December 13th, 2006 at 9:13 pm
It’s a toughy! Perhaps worthy of debate on SecurityMetrics list
Hmmm… liability, fines, perhaps disclosure is at the heart of it?
Thoughts on this?
http://pcidss.wordpress.com/2006/08/06/78-merchants-dont-know-and-institutions-dont-care-about-pci-dss/
As with the first.org community the main issue is enumerating incidents, quantifying the degree of damage(cost?) and then the subsequent lack of information sharing due to the sensitive nature thereof!
At the end of the day self-policing only works with incentives, thus incidents can go undetected even when one meets external/internal compliance requirements…..
Wondering if at some point the card companies will want the equivalent of CCTV inside company networks, e.g. the ability to surveil them?
Who do YOU trust? Who do I trust? Who do THEY trust?
D.
December 19th, 2006 at 6:04 am
Hey D,
Some good points - pretty much agree with most.
SecurityMetrics? Yeah but my brain would hurt for a long time after that!
Re: Fines - they can be levied by the acquiring banks (and on advise from the PCI members) but what’s it going to take? Only the tier 1’s are really going to be open to more extensive independant review of compliance but even then, it’ll be subjective at best and probably rarely policed. (Again, until there’s a bad breach).
Re: Self-policing, I agree. In addition it only works if the organisation knows what the hell it is supposed to be doing and has the expertise in-house to do it. Does it work with independant auditors? You’d like to think so but reality is as we both know that many are going to know less than the in-house guys. Let me qualify “many”. You probably know the main culprits - the ones that come in once a year generally, backed by the big name.
It’s a tough game and it isn’t helped by QSAs who themselves sound clueless. It’s a story we hear quite often. What’s the client to do / know when the QSA seems lost as to what and how things need to be done?
CCTV?
DD