02
Dec
09

Framework Versus Standard

By PCIGuru Leave a Comment
Categories: PCI DSS
Tags: ,

I think one of the biggest problems with the PCI DSS is that the PCI SSC chose to use the word ‘Standard’ in its name and proscribed that they are a standards setting body.  The word standard is defined by Merriam-Webster’s Dictionary as “something established by authority, custom, or general counsel as a model or example.”  Standards dictate what someone or something should do in a given situation.  Look at the IEEE for example.  They are a true standards setting body and the standards they issue are very proscriptive.  You are not to vary from the IEEE standard without becoming non-compliant.

When you look at the PCI DSS, it is more of a framework than a standard.  A Framework is defined as “a basic conceptual structure.”  Frameworks document boundaries as to what are acceptable for addressing particular problems but do not proscribe specific solutions.  In my opinion, the PCI DSS is more of a framework, not a standard.  I think that is why a lot of people and organizations struggle with complying with the PCI DSS.  If it were a true standard, then it would tell them exactly what and where to do everything.

That is the problem with security.  One size or solution does not fit all.  What works in one situation, may not work in another situation.  Even in the same organization, you can have different security solutions for the same problem.  Over time, while an original solution may be working fine, a newer solution will be implemented to resolve a similar situation because either the original solution is no longer available or it has changed and is no longer viable for the new requirement.

So let us stop getting hung up on the word ‘standard’ and move on.  The PCI DSS is not a standard it is a framework. A framework that is a baseline of what, at a minimum, is required to protect cardholder data.  If you can execute the framework on a consistent basis, then you will be ahead of the game.  If you cannot execute on a consistent basis, then you should do everything you can to not store cardholder data.

Advertisement

0 Responses to “Framework Versus Standard”

Feed for this Entry Trackback Address

  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

« We Are In This Together
Six Sigma, PCI And Security »

Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

December 2009
M T W T F S S
 123456
78910111213
14151617181920
21222324252627
28293031  

%d bloggers like this: