Will the new PCI get in the way of business?

The new version of the PCI standard will be released to the world soon. Standards are very difficult to do well. The typical standard defines interfaces and functional responsibilities, allowing vendors flexibility in how they implement each functional component. PCI DSS takes a more proscriptive approach, detailing exact security technologies and implementation schemes to assure compliance.

While this provides a great checklist to measure the level of reasonable care exercised by an organization, it also leads to inflexibility in mapping security to dynamic IT operations. For example, requirement 2.2.1 ("Implement only one primary function per server") if taken literally would make every cost-saving virtual datacenter non-compliant. And there are plenty of examples like that throughout the specification.

PCI DSS would be a stronger standard specification if it allowed for responsible innovation by its affected members. There are a couple of practices that can be added to PCI that would help make it a living security standard.

Require IT security training. PCI DSS should require that every IT person in every affected enterprise take 40 hours of security courses per year. Other professions, such as CPAs, need to do this to stay current and comply with certification requirements. Pushing security expertise and awareness down into the organization enables the business to better evolve its infrastructure with a security consciousness.

Certify independent organizations to approve compensating controls. PCI DSS sticks "Compensating Controls" way back in Appendix B. This is the out clause that allows IT to justify applying security in unique ways, or to use technologies that PCI did not consider. For instance, instead of deploying AV everywhere (requirement 5) many organizations successfully use proactive white-listing products on production servers to thwart malware, or virtualize applications so sensitive data is not exposed on endpoints. PCI DSS has an opportunity to bring together security best practices - especially as the world turns more virtual and cloud oriented - and to share peer-reviewed best practices with the PCI community. I bet they could even use organizations such as CIS, SANS or ISACA to help on this education mission.

Virtualization is changing the security game dramatically - the old rules just do not always apply anymore. Enterprises are embracing virtualization first and worrying about compliance second because of the impressive cost savings, agility, and efficiency to support the business. I hope the PCI DSS folks are thinking ahead so that IT can be aware of secure approaches and innovate their infrastructure without tossing compliance to the wind.