Home > Uncategorized > PCI-DSS Compliance: Part 3

PCI-DSS Compliance: Part 3

The PCI-DSS standard was created in 2004, and ever since its inception it has been surrounded with a good deal of controversy. Many information security professionals feel that this standard is too lax and needs to be tightened. Many merchants have the opposite opinion; they feel that complying with this standard requires too much money and effort. I have also heard individuals from companies that comprise the Payment Card Industry Security Standards Council (PCI SSC) publicly say that they feel that the PCI-DSS standard represents a reasonable balance between good security and realistic, achievable security. I tend to agree with the last view. Granted, this standard is not ultra rigorous, but it is sufficiently rigorous to ensure that reasonably good practices and controls needed to counter most attacks against credit card data will be in place. The goal of information security, after all, is to mitigate risk to an acceptable, not perfect level. At the same time, if this standard were more rigorous, many merchants would experience considerable difficulty and would incur huge expenses in achieving compliance.

But there is a problem—a big one—with the way PCI-DSS compliance currently works. Once a merchant is certified as being compliant, that merchant is deemed compliant for a year. As Emagined Security’s Chief Operating Officer, Paul Underwood, says, why should an audit be good for one year? He thinks that an audit should be good for as long as the merchant maintain the standards on which the audit was based. Paul’s view is very reasonable, but the question concerning how the merchant and the PCI SSC would be able to know whether or not the merchant remained compliant over time is not an easy one. Several possible solutions include:

• Conduct “mini-audits” over time. The PCI-DSS standard contains twelve requirements. Perhaps every three months or so one or two auditors could randomly choose one or two of these requirements and then perform audits based on these requirements. The merchant would never know in advance what the requirements for upcoming “mini-audits” would be, so the only reasonable strategy would be to ensure that compliance in all required areas be maintained.

• Use a continuous auditing approach. There is a fairly strong movement within the auditor community to collect and analyze audit data on a daily basis, rather than conducting large scope audits every one to three years. Network monitoring could, for example, run continuously; the data could be available to auditors who might look for security problems such as the presence of traffic from an external source that should not have gotten through an edge firewall

I have heard numerous people from the PCI SSC express concern that once a merchant achieves PCI-DSS compliance, that merchant is likely to shift focus to something else besides day-to-day compliance until the next audit is imminent. This, according to these individuals, is what helps significantly contribute to the kinds of data security breaches that WorldPay and TJ Maxx have experienced. Conducting “mini-audits” or using a continuous auditing approach would go a long way in addressing PCI SSC concerns about continuous compliance.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.