October 21, 2009
At the PCI Community Meeting last month in Las Vegas, one thing was abundantly clear – merchants and service providers need help. The confusion that comes with a complicated, comprehensive security standard, coupled with governance that shifts back and forth between the PCI-SSC and the card brands, has created a situation that requires that a QSA be more than just an auditor for their clients.
Now, I should state that I’m a full supporter of the PCI SSC and the PCI DSS – I’m not here to bash the council or the brands. Security around cardholder data is something that really needed improvement (and continues to need improvement), and the PCI DSS is really just a codified set of best practices with a tight focus on cardholder data.
At the community meeting I noticed that a number of the attendees appeared frustrated by how many times a question to the SSC (or to the card brand representatives to the SSC) elicited a response of “That’s really a brand-specific question and will need to be asked to the individual brands directly.” By this point most companies recognize that the PCI DSS is not the overall goal for their security strategy – its narrow focus ignores a great deal that organizations need to be concerned about in terms of information security. However, today many organizations still don’t realize that PCI isn’t even ‘complete’ in addressing credit card security – the brands may have important individual guidance that supersedes the PCI DSS.
Which brings me back to my initial statement – people need help and not just audits. The merchant and service provider community is looking for leadership and for partners to work with them to understand the unique and shifting landscape of compliance and security. This includes PCI, but it also includes the broader discussion of what the individual brands require outside of the PCI DSS and the impact of decisions on overall security.
The community expects and, truthfully, deserves this leadership. After all, we’re the experts and they are putting their trust in that expertise. Yes – passing your PCI audit is very important, but it isn’t the only thing that’s important, even within credit card security.