Opinion

PCI: Smart or Stupid?

The data security standard isn't as complex as some would have you believe

By Ben Rothke

October 10, 2007CSO — There is something odd about the payment card industry (PCI) standard. Its one of the best things to happen to the security of consumer data, yet many think it is as complex as rocket science.

PCI requirements fall into six major categories: build and maintain a secure network; install and maintain firewall configurations; protect stored data; use and regularly update antivirus software; restrict access to need-to-know; and monitor and track all access to network resources and cardholder data. These requirements provide a textbook outline of the fundamentals of information security. They reflect attention to detail and risk management. One can sum up PCI in a single word: pragmatic. It takes a realistic approach to the problems of consumer credit data and applies a common sense set of security solutions. PCI takes a narrow focus on what it attempts to solve, as opposed to the Sarbanes-Oxley Act, which lacks any form of specific detail. PCI is a godsend for the protection of consumer credit card data.

Given what PCI is trying to accomplish, one would expect it to be welcomed with open arms by the industry. To a degree, it has been. But surprisingly, there seems to be a cabal that has chosen to attack, rather than embrace, PCI. One recent example: Michael Mathews, chief operating and technology officer at security services company Cynergistek, wrote an article called PCI Has Lost Its Way, Growing Overly Complex and Costly, for the June 2007 issue of Information Security. Mathews repeatedly stresses the complexity of PCI.

But where exactly is that complexity? The requirements and corresponding specifics are extremely pragmatic and can be classified as information security 101.

Mathews writes that because of these and other complications, many merchants remain noncompliant to many facets of PCI DSS. However, the issue really is that these merchants have created their networks with little to no thought of security and privacy. They have placed minimal controls on their users, given no direction to their application developers nor documented required procedures for their administrators on how the network should be managed. Merchants are not noncompliant as a result of PCI DSS; they are noncompliant because they never developed their security programs in the first place.

In another example, the director of IT at Virgin Entertainment Group told Computerworld that while much of the PCI standard includes good, solid network and security policies, some of it is over the top and can be confusing. He also contends that the costs of meeting the requirements do nothing to boost a retail companys bottom line, with no direct return on investment.

$firstKeyword

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Security Directions: A Virtual Conference

Security Directions Available On Demand Sept. 30 - Dec. 30

Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.

» Register Now

WEBCAST
Protecting PII: How to Work with IT to Manage Risk

Compuware Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.

» View this Webcast

Featured Sponsors