Framework Versus Standard

I think one of the biggest problems with the PCI DSS is that the PCI SSC chose to use the word ‘Standard’ in its name and proscribed that they are a standards setting body.  The word standard is defined by Merriam-Webster’s Dictionary as “something established by authority, custom, or general counsel as a model or example.”  Standards dictate what someone or something should do in a given situation.  Look at the IEEE for example.  They are a true standards setting body and the standards they issue are very proscriptive.  You are not to vary from the IEEE standard without becoming non-compliant.

When you look at the PCI DSS, it is more of a framework than a standard.  A Framework is defined as “a basic conceptual structure.”  Frameworks document boundaries as to what are acceptable for addressing particular problems but do not proscribe specific solutions.  In my opinion, the PCI DSS is more of a framework, not a standard.  I think that is why a lot of people and organizations struggle with complying with the PCI DSS.  If it were a true standard, then it would tell them exactly what and where to do everything.

That is the problem with security.  One size or solution does not fit all.  What works in one situation, may not work in another situation.  Even in the same organization, you can have different security solutions for the same problem.  Over time, while an original solution may be working fine, a newer solution will be implemented to resolve a similar situation because either the original solution is no longer available or it has changed and is no longer viable for the new requirement.

So let us stop getting hung up on the word ‘standard’ and move on.  The PCI DSS is not a standard it is a framework. A framework that is a baseline of what, at a minimum, is required to protect cardholder data.  If you can execute the framework on a consistent basis, then you will be ahead of the game.  If you cannot execute on a consistent basis, then you should do everything you can to not store cardholder data.


0 Responses to “Framework Versus Standard”

  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.


December 2009
« Nov   Jan »

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,941 other followers


%d bloggers like this: