What would you ask for from the PCI Council this holiday season if you knew they couldn’t say no? Other than abolishing the PCI requirements all together that is! Walter Conway over at Storefront Backtalk already has his PCI wish list laid out, and he’s got some good ones in there. Of course, Walt is trying to be mostly realistic with his wishes, listing a number of requests that actually might be attainable in the year 2011. I on the other hand, feel no such compunction to be quite so restricted, since I don’t think even his fairly modest requests will actually be fulfilled. And since we’re shooting for things that are improbable, it’s just as easy to shoot for the stars as the moon.
So what sort of things is Walt asking for? First of all a list of all the training classes that the PCI Council will be offering in 2011. Here it is two weeks before the end of the year and no one knows exactly when training will be available next year. Personally that doesn’t mean much, since my training will be computer-based as a returning QSA, but for the people coming into the industry and the folks who want the newer Internal Security Assessor (ISA) certification, that’s a major issue. There’s a major manpower issue in the PCI industry and if we can’t get more people trained, it’s only going to get worse.
The other very important item on Walt’s list is for all Level 2 merchants to get started on their own compliance for 2011. If you’ve been involved in an assessment recently, you know that it’s a minimum of two months between when your QSA comes on site and when you have your Report on Compliance (RoC), and that’s only if you have everything buttoned down, there’s no remediation needed and the QSA company has a streamlined process. Even then, two months is probably not realistic, you’re better off planning for three to six months, including remediation; add in the time to actually sign the contract with your QSA company and get a QSA assigned to you on top of that. If you’re using an internal resource in your assessment, you need to look at the first request and realize that you may not even know when you’ll be able to get the required training this coming year. Seriously, if you haven’t started planning for compliance in 2011 already, you better get started today, otherwise June 31 is going to sneak up on you and smack you on the back of the head before you know it. And it will feel like you’ve been hit with a clue bat, trust me.
So what would I wish for from the industry and the PCI Council this Christmas if I knew they couldn’t turn me down? Like I said in the beginning, I’d shoot for the stars; I want a complete rewrite of the PCI requirements that focuses on the desired outcomes, not the specific technical steps that need to be used to accomplish them. Josh Corman had a good suggestion about this; keep the current requirements as an example of how to implement the new requirements, but we’d have a list that focuses more on the outcomes we want and less on the technology that is needed to make them happen. The problem with this solution is that it would introduce a lot more wiggle room in DSS and would require a more mature, knowledgeable group of QSA’s, but it would also give merchants and service providers the ability to be more flexible in their solutions and maybe even allow them to concentrate on security first, compliance second.
And while we’re re-writing the PCI requirements, I want to drop the plethora of requirements that are redundant in any modern operating system. We know that every modern OS tracks event type, time, user, etc., so why do we have to include that in every RoC? If it’s there for applications that are developed internally and externally, then let’s make it apply to those and leave the redundant writing out of the process. I’ve looked at most versions of Windows, Linux, Unix and mainframe, so I already know that they meet with the PCI requirements, so why do I have to write them up every single time? No, this isn’t a point of frustration with me at all.
I don’t think Walt Conway and I are going to get anything other than coal in our stockings from PCI Santa this year, truth be told. The process we’ve gone through the last few years indicates to me that PCI has calcified, which is quite frankly what almost everyone involved in PCI wants. And when I say ‘almost everyone’ I mean the PCI Council, the majority of merchants, all the card brands and the acquiring banks. Merchants have enough of a problem implementing many of the PCI requirements that effectively haven’t changed in over 5 years and won’t change for another 3. The only people who really want change in the PCI standards are the security professionals who are charged with safeguarding your enterprise and the vendors who feel they were locked out of the market by PCI.
By the way, there’s one more group who’s perfectly happy if the PCI standards don’t change and adapt: the attackers. Think on that for a little while.