The Green Sheet Online Edition
June 08, 2009 • Issue 09:06:01
PCI unlocks a treasure of security content
The Web site of the Payment Card Industry (PCI) Security Standards Council (SSC) - perhaps the definitive source of information on the PCI Data Security Standard (DSS) - provides a valuable service: consolidating and storing what can be an overwhelming array of information pertaining to industry standards.
The site, www.pcisecuritystandards.org, is both thorough and impressive - a reservoir of information, painstakingly detailed and chock-full of assorted links. Navigating its many pages of content, it's hard to imagine that anything - even the smallest informational tidbit - has been overlooked.
But while potentially very helpful, such a collection of information can pose problems as well. While each page on the site is tidily arranged, collectively the various links form a somewhat confusing mass of options within options.
Information of all sorts can be had, but it's frequently tucked away and separated from the navigator by multiple clicks. Links lead to more links, and then more links after that - all of it usually ending in a document that requires downloading (everything on the site is available in both PDF and Microsoft Word formats). Not to mention, many of these documents are themselves enormous.
All of which is hardly the fault of the Web site's layout - which actually does a decent job of keeping all the information reigned in, given the sheer volume of what it covers. Indeed, despite the many links bordering the pages and sometimes covering pages entirely, things are generally easy to find.
Often, links appear more than once on the same page, making it hard not to stumble across information pertinent to whatever visitors seek.
Still, one can imagine security novices visiting the Web site and growing increasingly discouraged as they click and click, watching the information accumulate until it overwhelms. Finding information is easy. But then, what do you do with it?
For example, one link on the homepage goes to an explication of the PCI DSS itself, likely a popular destination for visitors to the site - and seemingly a good starting point for anyone tackling issues related to payment data security.
The link opens a licensing agreement, and agreeing to that yields two options: "Supporting Documents" and "Download the Specification." The latter is the nitty-gritty, a rundown of the actual standard - 72 pages of PCI DSS requirements, procedures for implementing said requirements, procedures for testing existing networks, directions for compliance maintenance and numerous checklists to keep track of it all.
A multitude of resources
Like the Web site at large, the document begins simply enough - with a one-page synopsis of the 12 essential requirements that form the crux of the standard - before fanning out into more specifics.
But that is only the beginning, for the PCI DSS explanation does not stand on its own. From "Supporting Documents," another page is called up with separate links to 14 more documents - all adjuncts to the core rundown.
While it's unlikely that even the most zealous security person would read all 14 documents - a few target only specific industry players, including several aimed at the different types of security auditors - some could be of importance to security novices.
Most notably is the adjunct, "Navigating PCI DSS," a 55-page text that strives to help readers with "understanding the intent of the requirements."
Another document lists all the differences between the original and updated versions of the PCI DSS (the updated regulations, PCI DSS version 1.2, went into effect October 2008). Both the original and updated versions are available for download on the Web site. Other supporting documents are less daunting, like the glossary of terms, which elucidates words (network segmentation) and acronyms (IPSEC - Internet protocol security) likely to rear their heads in a study of the PCI DSS.
The list, or another like it, is indispensable for industry novices; one can't learn while reading an unfamiliar language. Speaking of which, most of the major documents on the Council's site are available in a number of foreign languages, including Chinese, German, French, Italian, Japanese, Portuguese and Spanish.
Indeed, the Council's global reach is evident throughout the site - not least on its lists of security referrals, which are located in a multitude of foreign countries. For example, its list of Qualified Security Assessors (QSAs) includes proprietors in the U.K., Sweden, Switzerland, Japan, Australia, Brazil, Ukraine and Saudi Arabia, among others.
Generally speaking, the Web site reinforces the PCI SSC's status as a global body with international reach and perspective, with the sort of geographically boundless influence usually reserved for government bodies.
Its influence is also reflected in the site's comprehensiveness, which makes it relevant to all entities with a vested interest in payment data security - however small or large their role, or where on the payment chain they operate.
Other links include the full regulations for PIN entry devices and payment applications; exhaustive lists of QSAs, Payment Application QSAs and Approved Scanning Vendors; and an education section, complete with fact sheets, webinars and links to security training classes.
There is a list of recent and upcoming conferences dealing with data security; recent press releases about the PCI SSC; frequently asked questions ("What is meant by adequate network segmentation in the PCI DSS?" for example); and an explanation of the PCI SSC, complete with a diagram of its different departments and an application to join (the cost is $2,500 as of June 2009). Like the PCI DSS itself, www.pcisecuritystandards.org is well-organized, as you would expect from the world's foremost payment security body.
But the question becomes: Can those who operate under the standard, particularly small merchants without a lot of resources to devote to security, rely on the site for achieving PCI compliance? The Web site provides a crucial resource for all things PCI, but is nonetheless a reminder of just how daunting the challenge of proper security maintenance can be.
With that in mind, the prominence of security referrals and educational tools on the site speaks volumes. If nothing else, the Web site can be an important starting point - a place to visit, not with the goal of becoming a full-blown expert in the world of data security, but to look up a specific point, question or person. The site might well be equipped with the message: Learn what you can here, but most important of all, call an auditor.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.