The Green Sheet Online Edition
January 09, 2012 • Issue 12:01:01
PCI: The year in review, the year to come
The start of the new year is a good time to review what 2011 was like for implementation of the Payment Card Industry (PCI) Data Security Standard (DSS). I especially want to revisit what has gone well, what has gone wrong, and what ISOs, banks and the rest of the payment card industry should expect in the coming year.
How we did in 2011
The year just finished contained several elements of steady but unspectacular progress: minor updates to the PCI DSS and Self-Assessment Questionnaires (SAQs) were rolled out to Level 4 merchants and generally caused little disruption. Also, the industry saw incremental improvement in compliance and validation; it's probably unrealistic to ask for much more.
A program like the PCI DSS is very hard to make work. It asks busy people to do difficult, inconvenient things for obscure reasons, all in the middle of tough economic times. And we can't assume the difficulties would disappear if merchants took the time to understand the issues, because the challenge is getting them to take the time in the first place.
One of the core issues with the PCI DSS is that it demands expertise from merchants. But most merchants simply do not have that expertise - or any easy way of getting it. This is particularly a problem for Level 4 merchants. And while some companies know how to solve this, the industry as a whole is still trying to come to grips with it.
First gear or overdrive?
The year just ended saw some other trends continue to become more visible. At the end of 2010, I predicted that 2011 would see growing tension between a slow-moving standard like the PCI DSS and a fast-moving industry. That has certainly proven to be the case.
On the one hand, the standard can't change too quickly without giving everyone whiplash. On the other hand, the underlying realities of our industry are changing quickly due to things like tokenization, virtualization and mobile payments. This presents only two real choices for the development of the PCI standard: too slow or too fast.
Moving too slowly fails to deal with the real threats and changes to the security world, while acting too swiftly is unacceptable for a formal process. We have found no easy answer to this.
What I can see working is a continued evolution of the standard toward a more complete, risk-based approach. Doing so is more complicated and less able to produce simple universal answers, but it is the only approach that has the required flexibility. This evolution will take years to achieve. But when it does, the standard will be structurally better at dealing with this central tension.
We saw other changes to the industry in 2011. As could have been predicted, the Qualified Security Assessor space continues to be a relatively mature, stable business. But dealing with Level 4 merchants remains a far more complicated business.
At the end of 2010, we started to see evidence of a slow but steady migration of ISOs and banks from simplistic, web-form-based SAQs to more feature-rich solutions. The latter demonstrate that ISOs and banks need tools and resources to help them implement soup-to-nuts, long-term PCI programs.
What will 2012 bring?
I hope the new year will be a continuation of the old - not because 2011 was such a wild success, but because continuity and incremental change are the only viable strategies for a maturing standard like the PCI DSS. The changes to the standard and the industry that I expect to see include:
- Continuing challenges for the industry in adapting to the challenges and disruption caused by mobile payments and other emerging technologies
- A corresponding continuation in the slow move toward a more risk-based approach to security
- An escalation in attacks against small merchants - driven, incidentally, by the success of the PCI's efforts in improving security at larger merchants; attackers are now shifting focus to the more vulnerable smaller merchants
- A growing recognition that smaller merchants need PCI programs that are more sophisticated and comprehensive than some of the older solutions still in use today
- Higher expectations of ISOs, acquirers and others regarding their PCI programs for smaller merchants
- A greater emphasis on explicit metrics for defining and tracking success with PCI programs
- Market consolidation and simplification, driven in part by a move by the large players away from vendor-based solutions and toward internally provided applications
- Growth in the international nature of the PCI DSS, with other parts of the developed world starting to catch up with the United States
Nothing is certain with things like the PCI DSS, which is a messy combination of technology, security, politics and money issues. But I am confident that those who prepare for the coming changes will have a simpler, more successful year ahead.
Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. (www.panopticsecurity.com). He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at email@example.com or 801-599-3454.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.