If your business is involved with taking credit card payments then you will be familiar with PCI DSS ( if not, where have you been? ). Now, much has been written about the Standard and whether it has worked, whether it is a good thing and whether it is worth the hassle to be compliant. Having worked with it for more than six years, I thought I would offer my perspective.
Before that, a little bit of history for you: PCI DSS is now more than 10 years old and version 3.2 will be released shortly. It should always be remembered that it is an industry standard (not a legal requirement), created by the major card issuers to protect their brands and payments. This in itself is no bad thing. After all, before PCI, there was no effective regulation or control of how payments were handled or card holder data managed. From this perspective it should be considered a major success.
However, it is not without its faults or detractors. Many of the perceived failings of PCI DSS I believe come from an unrealistic position. That is compliance with the Standard will make you ‘hack proof’ and that it represents security best practice. Neither is true. Theoretically, compliance to PCI DSS should be relatively straight forward if you are following security best practice across your entire business. The old saying that ‘compliance does not equal security’ is never truer than when applied to PCI compliance.
When approaching PCI compliance consider the following:
- Risk management. Start with the last requirement (no. 12) and implement an effective risk management strategy. This will have enormous benefits beyond the limited boundaries of PCI compliance. Get this part right and everything related to PCI compliance will be easier.
- Technical requirements. PCI is more than just a technical standard. You should be involving all departments and not just IT. Make sure your business understands what you are doing and gain executive management support to ensure that it is enforced.
- By necessity, the PCI standard has been written to encompass merchants and service providers of all sizes. The remit means that many of the statements and requirements are open to interpretation. A good, experienced QSA will guide you through the areas of concern and be able to advise on the right course of action.
- Understand from the outset that PCI will not make you 100% secure (indeed there are huge sections devoted to event logging and the collection of data, all of which will be used in a post-breach investigation). But it can certainly help you eliminate the most obvious security weaknesses and consequently make you less of a target.
- Minimum standard. Consider that the requirements of PCI are generally regarded as fairly standard within the IT security industry, if you are struggling to gain compliance, ask yourself why and look at IT security across your organisation and not just with regards to credit card payments.
- Silver bullets. Beware of any consultant, vendor or QSA that tries to sell you a specific product to achieve compliance. It does not exist and is not required.
I hope that the Standard continues to adapt and evolve. It may not be perfect in every way, but it is still the best we have.