At the March 31, 2009 hearing held by the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, Mr. Michael Jones, CIO of Michaels Stores, Inc. stated, “The PCI Data Security Standards are an extraordinarily complex set of requirements. They are very expensive to implement, confusing to comply with, and ultimately subjective, both in their interpretation and in their enforcement.” Let’s examine his statement and see if or where Mr. Jones is going off track.
First, let’s take his remarks regarding the fact that the PCI DSS is “confusing to comply with, and ultimately subjective, both in their interpretation and in their enforcement.” After attending my latest recertification training, I could understand his remark. There were a few QSAs in attendance that did not appear to fully understand what the PCI DSS is about and the concept of risk management. However, these QSAs were in the vast minority of the rest of the attendees. That said, there are a number of areas in the PCI DSS that are up for interpretation between the QSA and the acquiring bank. So, while a QSA may interpret a given area as being compliant, the acquiring bank may not take the same view. Given all of this, I’ll give the confusion and subjectivity points to Mr. Jones. However, on the enforcement side of his comment, I think Mr. Jones is all wrong. From my involvement in a variety of card brand enforcement actions, the card brands are neither confused or subjective when it comes to enforcement, far from it. So, it’s a split decision so far.
Now let’s tackle the big issue, that the PCI DSS is “extraordinarily complex.” Apparently, Mr. Jones has not seen the NSA security standards, ISO 27000 or the NIST FISMA standards. If he thinks the PCI DSS is complex, he’s in for an extremely rude awakening if he ever sees these other security standards. The PCI DSS is nothing more than a consolidated collection of information security ‘best practices’ for the protection of cardholder data (CHD). They could be used as a framework for protecting any personally identifiable information (PII) and I typically recommend the PCI DSS standard to clients that are looking for a PII security framework. It’s obvious that Mr. Jones does not have much of a background in information security or he would recognize that the PCI DSS is nothing extremely new or complex. Based on my experience with organizations taking similar positions, I’m betting that Mr. Jones and his staff are not in a position to be able to address network and data security.
Finally, Mr. Jones stated that the PCI DSS is “very expensive to implement.” I am guessing that this statement is the result of Mr. Jones running his operation on a shoestring budget with very little in the way of modern hardware and software. While this sort of management style makes lots of friends with the other C-Level executives, it does nothing to help the organization adapt to the changing retail environment. But regardless of whether we are talking retail or any other type of organization, what gets lost because of this shoestring approach is that there is a baseline cost of doing business that must be met just to be in business. For Michael’s Stores, this would likely include applications such as an inventory management and distribution system, point of sale system, merchandising system, Internet-based store, etc. and all of the necessary hardware, utility software and networks to support it all. All of these components have a cost associated to them, both an initial cost and on-going costs for support, security, privacy, maintenance, training and replacement. I cannot tell you how many organizations, of all industries and sizes I have worked with over the years, do not compute total on-going costs so that they can plan and budget properly. As a result, management of these organizations go through ‘shock and awe’ every time they need to invest in anything because things are never planned, they are always a surprise. I’m again betting that Mr. Jones operates in this manner and as a result got caught without any way to provide an option to get PCI DSS compliant because of short sidedness on his part.
In the end, I think Mr. Jones used his appearance at the House hearing as a way to justify his own short sidedness. It is these sorts of people that blame everyone but themselves for their problems when it is their limited and irrational views that are the real problem. As I have said before, the PCI DSS is not perfect, but it is a lot better than Mr. Jones’ approach, which is apparently to do as little as possible and whine about it.
PCI Guru 