PCI Debate Ignores Planned Improvement Cycle
Ben Rothke says PCI bashers should look at the standard's pragmatic plan for ongoing improvement
By Ben Rothke, CISSP PCI QSA
June 16, 2009 — CSO —
Recent Congressional hearings [.pdf link] tackled the subject of how well PCI DSS is helping the industry. Both before and since those hearings, myriad industry pundits have spent copious amounts of their time bashing PCI and complaining that is does not work and therefore should be abandoned. And let me tell you firsthand, PCI does not work as of June 2009, and that is precisely the point.
While the PCI-bashing cabal is out in full force, I have found few of them have read the PCI Security Standards Council's Lifecycle Process for Changes to PCI DSS [.pdf link]. Had they done so, they might be singing a different tune. In this document, the Council maps out a long-term pragmatic and strategic plan for PCI compliance.
Therein lays the problem; people don't want to invest in long-term security plans. They want their security band-aid now, despite the fact they have never built security into their designs or processes. Too many of those that have long ignored security just want a security appliance they can deploy to show compliance in advance of the SoX auditors. PCI will have none of that.
In the Lifecycle Process document, the Council creates a detailed and defined 24-month lifecycle with five stages that ensures a gradual, phased deployment and use of the PCI Data Security Standard (DSS). The 5-stages of the process are: Implementation, Feedback, Feedback Review, New Version, and New Version Revision. The Council also noted that they will publish similar lifecycles for the Payment Application Data Security Standard (PA-DSS) and the PIN Entry Device (PED) Security Requirements.
The PCI Lifecycle Process mimics the theme that Ross Anderson developed in his seminal book Security Engineering: A Guide to Building Dependable Distributed Systems. Anderson posits that although most underlying security technologies (cryptography, software reliability, tamper resistance, security printing, auditing, etc.) are relatively well understood, the knowledge and experience of how to apply them effectively is much scarcer. Anderson suggests an engineering-based approach to solving the problem, not one of simply throwing security appliances at the problem.
PCI gained critical mass with the release of version 1.1 in September 2006. Version 1.2 was released in October 2008. This two-year process restarted with the version 1.2 update. At this point, it is still finishing the market implementation phase as detailed in the PCI Lifecycle Process.
But the overarching issue is that security and good security in particular, takes time. It takes analysis, feedback assessment and understanding. And, once all of that is achieved, an organization needs to repeat it again, as the threats and vulnerabilities are highly dynamic and are constantly changing over time.