In honour of the SSC’s 10th year in
power [oops!] business, I thought it would be interesting to run a little retrospective.
On December 15th, 2004, a day that will live in infamy, Visa released the Payment Card Industry Data Security Standard (PCI DSS) v1.0.
~2 years later, the PCI Security Standards Council (SSC) was formed, closely followed by the release of DSS v1.1.
Six iterations later, here we are at v3.2.
To emphasise yet again just how sad I am, I chose to map v1.1 against not just the v3.2 standard itself, but its corresponding Report on Compliance (RoC) Reporting Template . While this seems like an extreme comparison (download it here), I wanted to get the full flavour of just how PCI compliance assessments have evolved in the 10 years since v1.1’s debut.
At first blush, they would appear to be radically different. For a start, v1.1 was just 17 pages long, v3.2 is 139 pages, and the RoC Reporting Template is a whopping 198 pages! But what becomes clear very quickly is that most of the changes are related to assessment guidance, validation guidance, and wave after wave of clarifications.
I mean, seriously, excluding the Bill of Rights the US Constitution has only been amended 17 times in 227 years!
Take Requirement 1.1.1 for example, this is what v3.2 looks like in the v3.2 RoC Reporting Template:
This is from v1.1:
Radically different, right?
Not really, everything in 1.1.1.a – 1.1.1.c is validation guidance, nothing more. In other words, if the original v1.1 assessors were doing a good job, this is how they would have assessed their clients back in 2006.
But they weren’t doing a good job. Not even close. Even into v1.2 QSAs were still filling out ‘Yes’ for in-place and ‘No’ for not-in place.
What we have seen from v1.2 onwards is the gradual increase in detail related to the validation that has to be performed. From v2.0, a separate document was provided to QSAs, the ‘ROC Reporting Instructions for PCI DSS v2.0‘ that broke down what was expected during compliance validation.
This was also implemented poorly by a lot of QSA companies, while others were clearly unaware of its very existence.
Roll on DSS v3.0, the version that caused by far the biggest stir in the PCI community since the DSS’s initial release. There were shouts from the merchants that the SSC had just raised the bar to unacceptable heights. There were even complaints from QSAs that the ‘new’ instructions would increase the workload to the point assessments would be unprofitable. And worst of all, the more unscrupulous QSA companies actually raised their prices! Here are my thoughts on those companies; PCI DSS v3.0 – Do NOT Pay More For Your QSA Services!
The fact is that v3.0 was a consolidation of the DSS Requirements and the Reporting Instructions, and little more (detailed mapping here). If the QSAs and the organisations they were assessing had been performing assessments properly, the effects would have been minimal.
How Similar is v1.1 to v3.2?
About 82% according to my calculation. Obviously this is at the overarching control level, not the validation detail. v1.1 had exactly zero guidance in that regard.
Other than some wording and requirement numbering changes the controls have remained remarkably consistent.
…and the ‘major’ changes aren’t really that major. Certainly nothing outside of basic common sense:
- Req. 1.1.3 – Cardholder Data Flow Diagrams – [How would you determine scope in the first place?]
- Req. 2.4 – Asset Inventory – [Seriously, how could you possibly achieve PCI compliance without one?]
- Req. 5.x – Make sure anti-virus are actively running etc. – [Really!?]
- Req. 7.x – Additional requirements around job classification etc. – [RBAC is RBAC, this should never have needed changing.]
- Req. 8.6 – ‘Other’ Authentication Mechanisms – [About time non-password stuff was introduced.]
- Req. 9.3 – Physical access based on job function – [As opposed to?]
- Req. 9.9 – Protection of Terminals (only affects retail) – [Sigh…]
So What Are You Saying?
There are two ways to look at these results:
- The main controls of the DSS were correct from the very beginning and there has been no change in either the threat landscape, or security technology; and
- The card schemes do not WANT to make significant changes, because they already consider the controls to be risk reduction enough. Not to mention the poo-storm that would descend on them if they did.
I think we all know that the first option isn’t true, so that leaves the second. And can you really blame them? Besides, what does it really matter, the DSS will never have the opportunity to improve much beyond minor clarifications. Payment cards just don’t have enough life-span to warrant anything else.
Nothing more to add really, now I need to go get a life.
[If you liked this article, please share! Want more like it, subscribe!]