PCI DSS – it takes a village

Last month, we wrote The National Retail Federation is dead wrong about PCI, in which we detailed how the National Retail Federation (NRF) is trying to water down the PCI data security standards (PCI DSS) compliance requirements on behalf of their constituents. As the world’s largest retail trade association, you likely patronize NRF members daily. Be it department stores, e-commerce sites, restaurants, grocery stores and the like.

The NRF has repeatedly attempted to stir up adverse public discourse against all things PCI, often with an underlying current of litigious posturing. In our article we opined that the kvetching by the NRF, now in its seventh year, is excessive, unwarranted, and fails to recognize the many benefits arising from the PCI DSS. Ultimately, the confrontational approach of the NRF is a disservice to the very constituents they are expected to serve.

Most of the feedback we received to our article was favorable. But we also received some unqualified and unsubstantiated criticisms from those who insist the PCI Security Standards Council (SSC) has thrown retail businesses under the bus. That couldn’t be further from the truth.

First off, it’s important to note that the PCI SSC has long offered assistance to merchants. An excellent example is the Prioritized Approach to Pursue PCI DSS v3.2 Compliance. It’s a methodology for PCI compliant that’s been available for years that assists merchants in helping them towards PCI compliance. It provides six security milestone metrics that help merchants and other organizations protect against the highest critical risk factors and escalating threats to cardholder data, while on their winding road toward eventual PCI compliance.

For entities that have done little or nothing in the past to address cardholder data security, having a prioritized approach to compliance helps them to triage their often limited staff and budget to achieve compliance in the most expeditious manner.

The prioritized methodology also includes a spreadsheet-based requirements tracking tool to assist in compliance gap identification, compliance remediation planning, execution, acceptance and ultimate sign-off by the authorized entity.

The PCI SSC has also sponsored numerous town hall meetings around the globe for merchants and service providers to help facilitate open discussions around PCI and other related requirements concepts. Such meetings have been well attended, and the resulting information exchange between the PCI SCC and merchants, service providers and others, have helped to enhance the effectiveness of the data security standards, and accommodate many of the pain points experienced by those entities pursuing PCI compliance. It’s via these multi-directional information exchanges that the PCI SCC and the standards pursuing communities can continue to work to improve all PCI compliance program aspects.

Additionally, the PCI SSC formed a small business task force last year to help improve payment data security for small businesses. Co-chaired by Barclaycard and the National Restaurant Association, the PCI Small Merchant Taskforce collaborates on guidance and resources that simplify data security and PCI DSS compliance for some of the most vulnerable businesses preyed upon by cybercriminals. In fact, the National Restaurant Association has also partnered with the PCI SSC to help their constituents better understand and deliver on PCI compliance requirements.

Just last week, Tracy Kitten wrote in How PCI Acceptance Has Improved Security of the significant benefits that PCI has achieved as it approaches its 10-year anniversary. Kitten makes the observation that most merchants (the type that NRF is expected to represent) regardless of their size, finally recognize the need for security. And that’s huge progress from where we were 10 years ago. She also notes that PCI is PCI working and its impact will continue to evolve.

So for anyone to say that the PCI SSC has abandoned retail businesses; res ipsa loquitur – the facts speak for themselves. The reality is the PCI SSC has taken measured, positive steps towards assisting businesses of all sizes better understand and meet their requirements for protecting cardholder data in support of retail commerce.

The aphorism “a rising tide lifts all boats” is true for PCI security standards. And indeed when the PCI SSC, QSA’s and PA-QSA’s, merchants, service providers, issuers, cardholders and beyond all pull together for greater good, everyone who carries and uses payment cards for commerce benefit greatly from such a community effort.

David Mundhenk, CISSP, PCIP, QSA (P2PE), PA-QSA (P2PE) is a Senior Consultant for the Application Validation team at Coalfire Labs.