I attended the PCI-SSC community meeting this past week (September 22-24). There were three key issues discussed that showed that the PCI program is maturing and that a number of standards and regulations are converging (both in and outside the PCI world).
The first issue signaled that the council’s view of IT risk is maturing. Bob Russo made it very clear in a couple of his presentations that organizations need to focus on security as opposed to just compliance, although there wasn’t a lot of detail offered on how to do this. The presentations mainly focused on ensuring that complying with the PCI standard is a year-round activity/program and not something just done for the audit. I’d argue that moving from compliance to security is a philosophical shift that occurs when organizations mature in how they deal with IT and business risk. Generally, the financial services organizations within the PCI community get this. It’s interesting to note that the driver for the council’s new views appears to be the very public breaches that have occurred within PCI-covered organizations over the past 18 months. So, the council has felt the impact. The key question is how the council will help the greater PCI community understand and mature their approach to IT and business risk.
The second, closely related topic was the focus on moving to more of a risk-based approach to implementing the PCI DSS. The council was only lukewarm to this idea, and I agree with their hesitation. Managing a risk-based approach may be something that is incorporated over time, but it adds too much subjectivity to the current PCI program. I think that until more organizations fully and truly implement PCI, such an approach will only muddy the waters. That said, incorporating risk as a consideration is important to an organization’s compliance efforts. As I mentioned above, I think the most pertinent issue is to get PCI-covered organizations to understand IT risk and how it translates into risk to their business. While assessors and many of the banks understand this, some merchants are still a ways off in getting to this level of maturity.
The final and much broader issue related to general standards. The council has always relied on NIST as a guideline, but this year there was much more discussion surrounding NIST, FISMA, and future regulations that will impact PCI. In the keynote, former Congressman Tom Davis discussed the process of passing FISMA. His prediction was that any new information security legislation was not going to happen in the near term. Nonetheless, there appears to be a converging consensus on the value of the existing FISMA and NIST standards. The nuclear power industry, NERC, and a number of the ISACs are strongly considering moves and potentially longer-term mandates that use these federal standards as their direct basis. Ultimately, I think it is very likely that many organizations will use significant portions of these federal standards as their basis. This could be both good and bad and is much easier said than done, but simplification and consistency should help all industries and information security in general.
Overall, the conference was a good barometer on the maturity of the PCI community and I think that, although there have been issues, the program is moving in the right direction.
Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
YouTube session cookie.
Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.
Analytics cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.
Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
Cookies are small text files that can be used by websites to make a user's experience more efficient. The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission. This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.
Discover how NetSPI ASM solution helps organizations identify, inventory, and reduce risk to both known and unknown assets.