The Green Sheet Online Edition
August 09, 2010 • Issue 10:08:01
More than PCI
ISOs, acquirers, processors and merchants are right to focus on the Payment Card Industry (PCI) Data Security Standard (DSS) as their most critical compliance issue in regard to information security. But those who plan on doing long-term business should also be aware of other issues and changes on the horizon (or even closer).
Too many organizations are short term or simplistic in their approach to security and compliance, and in the long term they are setting themselves up for unnecessary risk, cost and effort.
The correct approach, along with the appropriate insight into what is happening, will help ISOs and merchant level salespeople make the right moves at the right time and help keep their merchants safe and loyal.
Focusing on risk management
Risk management isn't just a security standard; it's the issue all the various standards are trying to address and measure. One of the main dangers with PCI is that people get too focused on the standards themselves, while forgetting their purpose is risk management.
Thinking only in terms of passing PCI is responding to a serious fever by saying a particular thermometer has failed the "thermometer test" and trying other thermometers until one indicates a "better temperature."
The only logical approach is to pursue PCI compliance with strong risk management in mind, confident in the knowledge that focusing on the underlying goal will also mean your business will ultimately meet PCI standards.
Don't become fixated on the fine points of the PCI DSS. If you do the right thing by taking measures to assure your system's security, PCI compliance should follow almost automatically.
It's almost always possible to cheat or short-change formal measuring and reporting systems like the PCI DSS, but a short-term tactic usually leads to long-term problems.
As a side note, remember that merchants found to be noncompliant in the inevitable after-breach audit are guaranteed to miss out on any possible safe-harbor provisions available to those who are actually affirmed to have been PCI compliant at the time of a breach.
Breach notification laws
A majority of states have introduced legislation requiring merchants to formally notify customers if their personal information is stolen from a merchant.
These are laws, not just industry standards, so they carry extra weight. Merchants (and their partners) need to remember that they must conform to the laws of each state in which they do business.
In addition to the embarrassment and damage these breach notifications can cause a company's brand, the laws impose expensive, effort-intensive processes on breached companies, and these often prove far more expensive than the explicit fines or penalties.
Federal and state regulation of the financial sector
As part of, and in response to, the recent financial crisis, it is inevitable that a range of further regulations and compliance regimes will be imposed on the financial sector in the near future. It is likely that some of those will directly affect the payments industry.
Federal and state cyber-security laws are only now being thought up or drafted for a range of political, social and technical reasons; it seems inevitable that they are coming.
Compliance laws throughout the supply chain
In addition, health industry laws (such as the Health Insurance Portability and Accountability Act of 1996) impose a range of security requirements not just on companies that work directly in the health industry, but also on companies that provide services to such companies - effectively making these compliance problems more than a little "contagious."
The phenomenon of compliance issues spreading throughout the supply chain is an increasing trend (for good reason, since companies and their data are becoming increasingly mingled and interdependent) and makes it increasingly likely that companies will get hit with compliance and reporting issues they weren't anticipating.
Putting together a long-term program
Payment professionals need to realize the world will get more complicated and that the compliance burden on them and their merchants will increase.
PCI is the right place to focus today, but the issues I've just mentioned should influence their decisions in important ways. For example, these issues mean that a short-term, quick-and-dirty approach to PCI compliance will fail sooner and harder than expected. Putting together a low-effort, "just-say-you-passed" approach is a bad idea for a number of legal and financial reasons even today, but it guarantees even more problems and inefficiencies in the near future. Instead, it makes sense to put together a program that can grow as the compliance burden grows.
ISOs and the merchants they serve have a choice: deal with security and compliance issues in a short-term "do the minimum I can get away with" way, or they can step back and take a "do it once, do it properly" approach that will protect them from both attacks and compliance surprises in the future.
Following the do-it-right path doesn't mean spending more money; it just means spending money in smarter ways. It leads to better security, better and cheaper compliance, and helps the ISO build a foundation for a healthy, long-term relationship with the merchant.
Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. (www.panopticsecurity.com). He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at firstname.lastname@example.org or 801-599 3454.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.