News
Blogs
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
IT Careers
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Industry
This Week in Print
Print Subscriptions


Ads by TechWords

See your link here


Eric Ogren's picture
Eric Ogren

Security Impact

More posts | Read bio

September 26, 2008 - 3:47 P.M.

Will the new PCI get in the way of business?

4 comments

The new version of the PCI standard will be released to the world soon. Standards are very difficult to do well. The typical standard defines interfaces and functional responsibilities, allowing vendors flexibility in how they implement each functional component. PCI DSS takes a more proscriptive approach, detailing exact security technologies and implementation schemes to assure compliance.

While this provides a great checklist to measure the level of reasonable care exercised by an organization, it also leads to inflexibility in mapping security to dynamic IT operations. For example, requirement 2.2.1 ("Implement only one primary function per server") if taken literally would make every cost-saving virtual datacenter non-compliant. And there are plenty of examples like that throughout the specification.

PCI DSS would be a stronger standard specification if it allowed for responsible innovation by its affected members. There are a couple of practices that can be added to PCI that would help make it a living security standard.

Require IT security training. PCI DSS should require that every IT person in every affected enterprise take 40 hours of security courses per year. Other professions, such as CPAs, need to do this to stay current and comply with certification requirements. Pushing security expertise and awareness down into the organization enables the business to better evolve its infrastructure with a security consciousness.

Certify independent organizations to approve compensating controls. PCI DSS sticks "Compensating Controls" way back in Appendix B. This is the out clause that allows IT to justify applying security in unique ways, or to use technologies that PCI did not consider. For instance, instead of deploying AV everywhere (requirement 5) many organizations successfully use proactive white-listing products on production servers to thwart malware, or virtualize applications so sensitive data is not exposed on endpoints. PCI DSS has an opportunity to bring together security best practices - especially as the world turns more virtual and cloud oriented - and to share peer-reviewed best practices with the PCI community. I bet they could even use organizations such as CIS, SANS or ISACA to help on this education mission.

Virtualization is changing the security game dramatically - the old rules just do not always apply anymore. Enterprises are embracing virtualization first and worrying about compliance second because of the impressive cost savings, agility, and efficiency to support the business. I hope the PCI DSS folks are thinking ahead so that IT can be aware of secure approaches and innovate their infrastructure without tossing compliance to the wind.

What People Are Saying

Add new comment

Maybe, if you define "every IT person" reasonably...

Submitted by Michael on October 1, 2008 - 8:00 P.M.

"PCI DSS should require that every IT person in every affected enterprise take 40 hours of security courses per year."

This could be onerous to small businesses. e.g., We currently handle less than six thousand transactions per year averaging around $50 (US) each and don't do any e-commerce. Throwing a requirement such as this on organizations such as ours would probably result in many simply ignoring compliance entirely. You would have to define it as something like "Every IT person involved with transaction processing must take xx hours of security courses per year." We can do one thousand times our current volume and remain a level 4 merchant. Forty hours a year of training for even one individual might be considered too much.

That's a problem with PCI-DSS. It throws blanket requirements down as if they apply to everyone. For instance, doing our self-assessment questionnaire for this year, I have to provide a justification for the ridiculous justifications of why we don't change every security parameter from the default. The answer is painfully obvious--should we change the default security parameter requiring passwords to not require passwords? That would meet the letter of requirement 2.1, but leave us very vulnerable. Somebody needs to think of better ways to get the desired results. A better question would be "Are all security parameters reviewed and changed from defaults as needed?" Requirement We could simply answer "Yes" and move on to the areas which either require us to prove that we have taken a secure stance, take corrective action, or document our plan to become compliant.

Reply | Report this comment

You hit one of the problems

Submitted by Eric on October 2, 2008 - 9:21 A.M.

You hit one of the problems right on the head - the PCI DSS tablets come down from above for all businesses of all sizes and network complexities. It is difficult for organizations that feel a social responsibility to comply to use the requirements as guidelines when customizing for their own specific needs. IT would need a security culture to craft compensating controls to meet the spirit of the requirements where the literal PCI requirement may not be appropriate. PCI would then get good ideas from the bottom up (by people actually doing the work) as well as top down.

Other professional disciplines require training to remain current in the industry. I don't feel it is too onerous to ask an IT professional to attend one or two seminars over the course of a year.

I totally agree with you that the requirements can be excessive for businesses with low transaction rates. Many organizations prioritize the requirements because it is just not feasible from a cost standpoint to do it all.

The new PCI DSS 1.2 spec is just out. Tiem to check it out ...

Eric

Reply | Report this comment

Certification?

Submitted by Anonymous on September 26, 2008 - 7:13 P.M.

Speaking of certifications, there is the CPISM and CPISA. Wiki for it or find more info on the SPSP site.

Reply | Report this comment

Malware protection in the store

Submitted by Anonymous on September 26, 2008 - 4:32 P.M.

Great thoughts here Eric, and you're on to something with certifying suggested compensating controls. In fact, you've got folks like Solidcore and Bit9 already being deployed as compensating controls for AV. This is especially important in the stores where AV simply doesn't work on POS systems. We just need to be careful not to not make the same mistake twice by identifying something different like "whitelisting" in place of "AV" as the sole approach...it's more about malware protection in the general sense, and to your point, having valid compensating controls that won't be called into question each year.

Reply | Report this comment

Related Posts

EMR/EHR MUST go forward, but not until safeguards are in place
Hacking medical implants is worrisome (and dog+cat+squid)
Think your cellphone call is private? Think again! GSM A5/1 encryption cracked.
Heartland CEO gets a smackdown after his CSO interview

Editor's Picks

Users dispute Microsoft's account of battery problems

Review: 3 encryption apps keep your data safe

Judge dismisses Windows anti-piracy software lawsuit

Microsoft e-health research taps Xbox, mobile phones

Startup opens offshoring alternative in distressed Michigan

Toyota to recall Prius hybrids over ABS software

About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures
IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard
Copyright © 1994 - 2010 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.