Thinking About Using the PCI DSS as a Standard for Other Regulations? Don’t.

In a recent article in SC Magazine; “An Inconvenient Truth: New Customer Data Regulations Coming” Jeremy King of the SSC suggests that Payment Card Industry (PCI) “provides the most complete set of data security standards available globally.” I can only assume he means that the PCI Data Security Standard (DSS) contains a list of basic security controls every organisation should have in place, and not that the PCI DSS in any way resembles real-world security.

Because it doesn’t, and you only have to look at the number of breaches involving ‘PCI compliant’ merchants and service providers to see that PCI, by itself, does little to prepare organisations against the challenges they face.

PCI compliance is a commercial obligation, nothing more, and any fines levied are only paid because the merchant or service provider who was breached wants to keep taking plastic. The Payments Services Directive 2 (PSD2) and the General Data Protection Regulation (GDPR) will be LAW in the 28 countries of the EU, and attract both legal and financial repercussions that could potentially cripple even the largest of businesses. No standard based on a bare minimum set of controls will ever protect personal data in a meaningful way.

Nor will any ISO standard, or COBIT, or any other information security framework for that matter. At least the PCI DSS puts its money where its mouth is and tells you what controls to implement, all security frameworks do is tell you something is a good idea, never how to do it a manner appropriate to your business.

Because they can’t, only the individual organisation can ever provide definition, and business justification, around the horribly inexact – but regulation standard – phrases; ‘appropriate’ and/or ‘reasonable security’.

The implementation of a security program that can meet the intent of ANY regulation includes very specific processes that the PCI DSS does not cover, and if they do, it’s in a very limited fashion with no-where near the emphasis required to express the importance. For example;

  1. The Risk Assessment (RA) is way down in section 12, when it should have been the very first thing performed before PCI compliance was even contemplated. An RA performed in-line with the PCI DSS would not be sufficient.
  2. The only nod to Disaster Recovery and Business Continuity Planning is a single bullet in 12.10.1, when these processes are absolutely central to any organisation staying in business responsibly.
  3. The requirements related to 3rd party due diligence are entirely inadequate relative to the risk involved.

…and so on. I have addressed the inadequacy of the actual PCI controls many times, so I won’t bother repeating them here. Suffice to say, the majority of the controls would be no-where near enough.

There are only 3 main ways to appropriately address the current and new tranche of regulations / directives:

  1. Make the CEO legally responsible for security breaches, and apply criminal penalties in-line with the egregiousness of the negligence – Clearly fines don’t worry CEOs enough, perhaps some jail time would.
  2. Ensure the policies, procedures, and standards are world-class – There is no security program without the application of accurate corporate knowledge
  3. Training & Education – This should be self-explanatory

Compliance with any of the upcoming regulations is no different from any regulation already in place. There is nothing outside of an appropriate security program that will ever be required, so just do the things you should have been doing from the very beginning.

Security is not easy, but it IS simple.

3 thoughts on “Thinking About Using the PCI DSS as a Standard for Other Regulations? Don’t.

  1. Here’s Risk Assessment #1: “Almost any risk is acceptable until it happens. And happens to us.” That’s why many if not most risk assessments are worthless. They should be called Risk Justifications.

    The primary reason for the PCI Fail is because of the Self-Assessment Questionnaires. See Risk Assessment #1 for why. As Dr. House so eloquently put it: “Everybody lies.” And until they get tagged, it works as a great cost reduction method.

    Disaster Recovery and Business Continuity have no place in PCI-DSS. They have nothing to do with preventing card data loss. If you’ve ever had an ASV scan, you’ll know that serious deficiencies are marked as OK because they cannot result in card data loss. PCI-DSS is not about security of the organization or its Data Security and people seem to think it is.

    Sarbanes-Oxley got the attention it deserved precisely for the reason you noted: Executives were threatened with jail. While precious few actually served any time, the “perp walk” itself is a good deterrent. That and the external auditors noting a material deficiency in the 10-K.

    And anybody who takes the articles in SC Magazine seriously is management material. Those of us in the trenches know that if SC Magazine recommends it, it’s usually a POS. Heck, the fellow who wrote that article is from PCI. You know, because that organization has been so successful in its mission.

  2. Hey, this paragraph got modified to remove the angle brackets. Try it like this:

    (set sarcasm mode on) Disaster Recovery and Business Continuity have no place in PCI-DSS. They have nothing to do with preventing card data loss. (set sarcasm mode off) If you’ve ever had an ASV scan, you’ll know that serious deficiencies are marked as OK because they cannot result in card data loss. PCI-DSS is not about security of the organization or its Data Security and people seem to think it is.

Leave a Reply

Your email address will not be published. Required fields are marked *