Mar 15 2011
PCI has become a way of life, not just for me personally, but nearly every merchant out there who makes a serious number of transactions using credit cards out there. What was just a murmur on the wind for most folks five years ago has become part of the drumbeat of their every waking hour. The evolution from something just the largest companies have to deal with to something nearly every merchant has to deal with has been painful for many, and will probably continue to be so for quite some time. All because PCI has become the dominant standard in security for anyone dealing with credit cards. And since most businesses deal with credit cards on some level, it’s become the de facto standard for the majority of the security industry.
Branden Williams wrote a post that took me back to some of the early arguments I had Josh Corman, very polarized ‘discussions’ of how PCI was the answer to a lot of security issues vs. PCI was deforming the security market in potentially harmful ways. I’ve always been of the opinion that PCI is a good lever for getting money to implement projects most security teams should have in place. Josh states that PCI has been starving other technologies that could go beyond the simple requirements involved in the standard, which is where his infamous “No Child Left Behind of Security” comes from. Josh and I have since modified both our positions, I have admitted that there are some technologies that PCI ignores that could meet security concerns, while Josh has conceded that some of the technologies that PCI requires are something nearly every business needs in some form.
I shouldn’t be surprised that there are still a number of merchants out there still in denial about what’s required of them by PCI and their acquiring banks, but I still am a little. Many businesses have been able to ignore PCI or play lip service to it so far, but as the card brands push compliance (and the risk, incidentally) farther down into the merchant community, that’s going to be harder and harder. If you’re a single merchant or service provider, no matter how large or small, you’re going to eventually have to concede that compliance is the irresistible force and you’re not an immovable object. The only real ways to affect change on the PCI standards is going to be to work with them for now, work within the PCI Council and Special Interest Groups and potentially look for a better standard to be created. Another alternative is to work with state and federal government to affect change, but I can’t imagine how that could improve the situation.
One last point from Brandon’s post to consider is the use of compensating controls; I’ve worked with more than a few merchants who were unable for real, technical reasons were unable to meet with requirements, as have most experienced QSA’s. Don’t be afraid to use them, if you’re meeting and exceeding the requirement in question. It’s not a blemish on your Report of Compliance to have a Compensating Control Worksheet, especially if it is well written.