12
Apr
09

PCI Standards Are Overly Complex

At the March 31, 2009 hearing held by the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, Mr. Michael Jones, CIO of Michaels Stores, Inc. stated, “The PCI Data Security Standards are an extraordinarily complex set of requirements. They are very expensive to implement, confusing to comply with, and ultimately subjective, both in their interpretation and in their enforcement.”  Let’s examine his statement and see if or where Mr. Jones is going off track.

First, let’s take his remarks regarding the fact that the PCI DSS is “confusing to comply with, and ultimately subjective, both in their interpretation and in their enforcement.”  After attending my latest recertification training, I could understand his remark.  There were a few QSAs in attendance that did not appear to fully understand what the PCI DSS is about and the concept of risk management.  However, these QSAs were in the vast minority of the rest of the attendees.  That said, there are a number of areas in the PCI DSS that are up for interpretation between the QSA and the acquiring bank.  So, while a QSA may interpret a given area as being compliant, the acquiring bank may not take the same view.  Given all of this, I’ll give the confusion and subjectivity points to Mr. Jones.  However, on the enforcement side of his comment, I think Mr. Jones is all wrong.  From my involvement in a variety of card brand enforcement actions, the card brands are neither confused or subjective when it comes to enforcement, far from it.  So, it’s a split decision so far.

Now let’s tackle the big issue, that the PCI DSS is “extraordinarily complex.”  Apparently, Mr. Jones has not seen the NSA security standards, ISO 27000 or the NIST FISMA standards.  If he thinks the PCI DSS is complex, he’s in for an extremely rude awakening if he ever sees these other security standards.  The PCI DSS is nothing more than a consolidated collection of information security ‘best practices’ for the protection of cardholder data (CHD).  They could be used as a framework for protecting any personally identifiable information (PII) and I typically recommend the PCI DSS standard to clients that are looking for a PII security framework.  It’s obvious that Mr. Jones does not have much of a background in information security or he would recognize that the PCI DSS is nothing extremely new or complex.  Based on my experience with organizations taking similar positions, I’m betting that Mr. Jones and his staff are not in a position to be able to address network and data security.

Finally, Mr. Jones stated that the PCI DSS is “very expensive to implement.”  I am guessing that this statement is the result of Mr. Jones running his operation on a shoestring budget with very little in the way of modern hardware and software.  While this sort of management style makes lots of friends with the other C-Level executives, it does nothing to help the organization adapt to the changing retail environment.  But regardless of whether we are talking retail or any other type of organization, what gets lost because of this shoestring approach is that there is a baseline cost of doing business that must be met just to be in business.  For Michael’s Stores, this would likely include applications such as an inventory management and distribution system, point of sale system, merchandising system, Internet-based store, etc. and all of the necessary hardware, utility software and networks to support it all.  All of these components have a cost associated to them, both an initial cost and on-going costs for support, security, privacy, maintenance, training and replacement.  I cannot tell you how many organizations, of all industries and sizes I have worked with over the years, do not compute total on-going costs so that they can plan and budget properly.  As a result, management of these organizations go through ‘shock and awe’ every time they need to invest in anything because things are never planned, they are always a surprise.  I’m again betting that Mr. Jones operates in this manner and as a result got caught without any way to provide an option to get PCI DSS compliant because of short sidedness on his part.

In the end, I think Mr. Jones used his appearance at the House hearing as a way to justify his own short sidedness.  It is these sorts of people that blame everyone but themselves for their problems when it is their limited and irrational views that are the real problem.  As I have said before, the PCI DSS is not perfect, but it is a lot better than Mr. Jones’ approach, which is apparently to do as little as possible and whine about it.

Advertisements

4 Responses to “PCI Standards Are Overly Complex”


  1. 1 S
    November 24, 2011 at 7:51 AM

    I agree with you. PCI DSS is not really complex comparing to ISO 2700x and other standards.
    I think the difference is in the scope, ’cause in ISO 2700x for example, we choose our scope, compared to PCI DSS where the scope can be “bigger”.

    • November 24, 2011 at 8:47 AM

      You can use the PCI DSS as a framework and expand the scope to include all sensitive information (aka PII) such as social security number, drivers license number, etc. However, for generic security I would recommend the ISO 27K series as the framework.

  2. May 4, 2009 at 4:24 PM

    If you’re looking for a really simple solution I would try Braintree Payment solutions. I know the owner has been in the industry for a long time and has put together a great product. http://www.braintreepaymentsolutions.com/pci-dss-compliance/

  3. April 12, 2009 at 6:20 PM

    I think the biggest problem we see in the marketplace is other QSAs that come in and sign off that a merchant or service provider is PCI compliant with what we call a “drive by audit”.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Announcements

If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.

Calendar

April 2009
M T W T F S S
« Mar   May »
 12345
6789101112
13141516171819
20212223242526
27282930  

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,904 other followers


%d bloggers like this: