With all the high-profile data breaches at major retailers over the past few months, it’s really tempting to write off PCI DSS as being ineffective. It’s clearly not working, since the security standard clearly didn’t protect these companies from attack.
Then again, perhaps we are looking at the standard all wrong. Businesses—and often auditors—measure their security effectiveness against PCI DSS because its requirements are so comprehensive. But that misses a critical point: PCI DSS is a data security standard. Its sole focus is to protect the credit card data used in transactions, stored in databases, and transmitted over systems.
It was never supposed to be the only thing organizations did regarding security, said Chris Strand, a compliance consultant for security company Bit9. It was supposed to be one task out of many. Compliance is not security. And it's not intended to be.
Strand is not alone with this view, and he said it was a key theme coming out of the North American PCI Community Meeting in Orlando, Florida, earlier this month. It seems like a surprising admission for the Payment Card Industry (PCI) Security Standards Council to make. In fact, the PCI Council is making a point that PCI DSS is a prescriptive standard, he said.
According to Strand, even the PCI Council’s incoming general manager Stephen Orfei noted in his keynote that no single prescription can fix all the security problems within an organization.
The PCI Council has been encouraging organizations to take a more proactive view of security and not rely on specific pieces of technology. It’s no longer about checking off a box because the company bought the relevant technology. PCI DSS 3.0, which went into effect in January, emphasizes having measurable security controls to protect data. “For me to meet PCI DSS, I now have to be able to prove that I have the control, and also show the control actually works,” Strand said.
Security professionals should be thinking less about implementing PCI DSS and more about interpreting the requirements, Strand recently wrote on the Bit9 blog.
PCI DSS is based on continuous compliance. A company can be PCI compliant, but the day it forgets to run a daily scan, it is out of compliance. One way to avoid that is by focusing on the “business-as-usual” activities. This new requirement (introduced in 3.0) requires administrators to have visibility across the system and know what is in scope, how people get in and move around, and what changes have been made. Administrators “need to know what a good day looks like” before they can track down the bad and abnormal, Strand said.
While the 3.0 standard is more relevant to the current threat landscape, the changes also mean the difficulty level of becoming compliant has also increased, Strand said. “The level of scrutiny is going up.”
Instead of dismissing PCI DSS outright, take a look at the new requirements in PCI DSS 3.0 and figure out what controls you need. Once the controls are in place, think about how to prove the controls are actually doing what they are supposed to be doing.
As Strand wrote in the blog post, “The end goal should not simply be compliance, but a more effective security program to protect sensitive data.”