By Tim Cranny
Panoptic Security Inc.
The start of the new year is a good time to review what 2011 was like for implementation of the Payment Card Industry (PCI) Data Security Standard (DSS). I especially want to revisit what has gone well, what has gone wrong, and what ISOs, banks and the rest of the payment card industry should expect in the coming year.
The year just finished contained several elements of steady but unspectacular progress: minor updates to the PCI DSS and Self-Assessment Questionnaires (SAQs) were rolled out to Level 4 merchants and generally caused little disruption. Also, the industry saw incremental improvement in compliance and validation; it's probably unrealistic to ask for much more.
A program like the PCI DSS is very hard to make work. It asks busy people to do difficult, inconvenient things for obscure reasons, all in the middle of tough economic times. And we can't assume the difficulties would disappear if merchants took the time to understand the issues, because the challenge is getting them to take the time in the first place.
One of the core issues with the PCI DSS is that it demands expertise from merchants. But most merchants simply do not have that expertise - or any easy way of getting it. This is particularly a problem for Level 4 merchants. And while some companies know how to solve this, the industry as a whole is still trying to come to grips with it.
The year just ended saw some other trends continue to become more visible. At the end of 2010, I predicted that 2011 would see growing tension between a slow-moving standard like the PCI DSS and a fast-moving industry. That has certainly proven to be the case.
On the one hand, the standard can't change too quickly without giving everyone whiplash. On the other hand, the underlying realities of our industry are changing quickly due to things like tokenization, virtualization and mobile payments. This presents only two real choices for the development of the PCI standard: too slow or too fast.
Moving too slowly fails to deal with the real threats and changes to the security world, while acting too swiftly is unacceptable for a formal process. We have found no easy answer to this.
What I can see working is a continued evolution of the standard toward a more complete, risk-based approach. Doing so is more complicated and less able to produce simple universal answers, but it is the only approach that has the required flexibility. This evolution will take years to achieve. But when it does, the standard will be structurally better at dealing with this central tension.
We saw other changes to the industry in 2011. As could have been predicted, the Qualified Security Assessor space continues to be a relatively mature, stable business. But dealing with Level 4 merchants remains a far more complicated business.
At the end of 2010, we started to see evidence of a slow but steady migration of ISOs and banks from simplistic, web-form-based SAQs to more feature-rich solutions. The latter demonstrate that ISOs and banks need tools and resources to help them implement soup-to-nuts, long-term PCI programs.
I hope the new year will be a continuation of the old - not because 2011 was such a wild success, but because continuity and incremental change are the only viable strategies for a maturing standard like the PCI DSS. The changes to the standard and the industry that I expect to see include:
Nothing is certain with things like the PCI DSS, which is a messy combination of technology, security, politics and money issues. But I am confident that those who prepare for the coming changes will have a simpler, more successful year ahead.
Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. (www.panopticsecurity.com). He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at email@example.com or 801-599-3454.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next