The Green Sheet Online Edition
December 13, 2010 • Issue 10:12:01
PCI: The year in review, the year to come
With the new year approaching, it's good time to step back and review what 2010 was like for the Payment Card Industry (PCI) Data Security Standard (DSS) compliance program, and look at what has gone right, what has gone wrong, and what ISOs, banks, and the rest of the payments industry should expect in the coming year.
2010 in review
The year 2010 was basically one of steady, unspectacular progress: the standard itself was expanded and refined to some degree, and the industry as a whole saw incremental improvement in the compliance and validation rates across the board.
Also, another year's worth of exposure made PCI more familiar to merchants, their banks and ISOs, and security issues became a more routine "part of doing business" for everyone. All of this is real progress that directly serves the ultimate goal of PCI: to protect cardholders, their privacy and their transactions.
As described, this might sound like a fairly mediocre year in many ways, but it's probably unrealistic to ask for much more.
A program such as PCI is very hard to implement; it asks busy people to do difficult, inconvenient things for obscure reasons, all in the middle of tough economic times. (And you can't implore merchants to take time to understand the relevant issues because the challenge is getting them to devote any time to PCI in the first place.)
A core issue with PCI remains the fact that it demands expertise from merchants, and the majority of merchants simply do not have that expertise, nor do they have an easy way of obtaining it.
This is particularly a problem for Level 4 merchants, and while some companies know how to solve this problem, the industry as a whole is still trying to come to grips with it.
A matter of speed
During 2010, other trends also became more visible. One such trend is that as PCI matures, it gains weight and inertia as a growing set of expectations, documentation and processes, and that makes it harder to make changes nimbly and swiftly. Doing so would confuse a lot of people in the industry and would likely be seen as a show of inconsistency, not a show of initiative.
Pushing too hard to change course too quickly at this point is guaranteed to create nothing but a backlash, which would be counterproductive.
Thus a genuine structural problem exists because on the one hand, the standard can't change too quickly without giving everyone whiplash.
But at the same time, the underlying reality can and does change quickly. (This relates to the speed with which technology changes and the fact that security is always an arms race or fight between the "good guys" and "bad guys."
The security situation changes continually for the same reason football players move around all the time: they're trying to get past or to stop the opposition.)
This all means there are only two simple choices for PCI: "too slow" or "too fast" - either move too slowly to deal with the real threats and changes to the security world, or move too quickly to be acceptable as a formal process.
The response to this from the PCI Security Standards Council in 2010 - and it's the right one - has been to gradually evolve PCI away from either of these simple choices toward something that is more complicated, but also is consistent and flexible enough to deal with these issues.
This risk-based approach will take some years to coalesce, but when it does, the standard will be structurally better at dealing with this core issue.
What worked and what didn't
Another change that we saw in 2010 is that the industry now has enough history with PCI for first-generation solutions and approaches to have built up a track record, and we can see which ones work well and which do not.
Understandably, significant change or disruption has occurred in the Qualified Security Assessor (QSA) space, because consulting is a fairly mature, stable type of business; however, dealing with Level 4 merchants is a complicated business, and one where old, established solutions do not exist.
There are signs that the early companies that moved into the QSA space are being supplanted by later, more sophisticated and feature-rich alternatives.
We see a steady migration of ISOs and banks away from these first movers and expect this trend to continue throughout 2011, with simplistic web-form based solutions being replaced by solutions that recognize that ISOs and banks need tools and resources to help them implement soup-to-nuts, long-term PCI programs.
What 2011 will bring
Ideally, the new year will be a continuation of the old, not because 2010 was such a wild success, but because continuity and incremental change is the only viable strategy for a maturing standard such as PCI.
The changes we expect to see to the standard and the industry include:
- A continued slow move toward a more risk-based approach to security
- An escalation in attacks against small merchants (This trend is driven, incidentally, by the success to date of PCI's efforts in improving security at larger merchants. Rather than go away, the attackers are shifting focus to the more vulnerable, smaller merchants.)
- A growing recognition that smaller merchants need PCI programs that are more sophisticated and comprehensive than some of the older solutions in use today
- Higher expectations on ISOs, acquirers and others regarding their PCI programs for smaller merchants
- A greater emphasis on explicit metrics for defining and tracking success with PCI programs
- Growth in the international nature of PCI, with other parts of the developed world starting to catch up with the United States
PCI is a messy combination of technology, security, politics and money issues, but ISOs and others who prepare for the coming changes will have a simpler, more successful year ahead.
Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. (www.panopticsecurity.com). He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at email@example.com or 801-599 3454.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.