I provided my first PCI guidance way back in 2005, and my first on-site assessment was in 2006. Since then I have performed dozens of on-sites across the globe, my last one in 2009. Until December 2012, I ran teams that delivered PCI assessments across EMEA and APAC, all of whom followed a proven methodology that took all the guesswork out of how to achieve compliance, and STAY compliant.
Over the last few months, my changed circumstances have led me back into the PCI weeds, and frankly, I am more than a little disappointed. The payment card industry is no closer to ‘getting it’ than they were 8 years ago, and the guidance provided by a significant portion of PCI professionals leaves a lot to be desired.
After >8 years, the industry SHOULD be integrating their PCI assessment processes into some form of overarching security framework, re-certification SHOULD be nearing business as usual, and QSA quality should have improved.
They’re not, it’s not, and it hasn’t respectively.
I have written several articles on the major issues with the DSS, and what to do about them, I have stated more times than I probably should that the problems begin and end with the CEO, and I have repeatedly quoted my tag-line;
“Security is not easy, but it can be simple.”
I even wrote white papers on How to Sell Security (and therefore how to BUY security), and Selecting The Right QSA For Your Business in an effort to help standardise and optimise the most important step towards compliance; asking for help.
For some reason this has not had the industry changing effect I had expected. Surely my 18 subscribers – 4 of whom are family members – should have had a bigger impact than this!? [uncomfortable silence]
I have said for a few years now that I should put all of my experience into a PCI self-help book. Well, now I’m going to. Not all at once mind you, I’m going to write each chapter as a stand-alone ‘white paper’ over the course of the next few months, and will request your feedback on each. When they are as polished as they are going to be, maybe I’ll try to get it published, but I’ll still give it all away here on my blog.
I will also include any tool-sets I use to conduct an assessment (plus samples / examples), and I will provide options for free-ware / cheap-ware tools that I have seen be of some use. I will NEVER recommend anything, and only offer up options upon which you must perform your own due diligence. I may highlight my OWN preferred solutions, but the choices, and therefore responsibility, will always be yours.
These are the chapters I have in mind, and in this order:
- So You Want To Be PCI Compliant? (a.k.a. Buy Nothing Until You Read This!)
- Biased Perspective – What The PCI DSS Is, And What It Can Never Be
- Prepare Your Organisation (i.e. Your CEO) For The Assessment
- The Assessment Pre-Requisites
- Report on Compliance Executive Summary – If You Can’t Write This, Start Again
- DSS Requirement 1 – Networking Stuff
- DSS Requirement 2 – System Configuration Stuff
- DSS Requirement 3 – Encryption Stuff
- DSS Requirement 4 – More Encryption Stuff
- DSS Requirement 5 – Anti-Virus Stuff
- DSS Requirement 6 – Vulnerability Management, Change Control, Secure Coding Stuff
- DSS Requirement 7 – Access Control Stuff
- DSS Requirement 8 – Password Stuff
- DSS Requirement 9 – Physical and Back-Up Stuff
- DSS Requirement 10 – Logging Stuff
- DSS Requirement 11 – Testing Stuff
- DSS Requirement 12 – Policy, Training & Incident Response Stuff
- Compensating Controls
- Validation and Evidence Collection
- The Holy Grail of Security, Continuous Compliance Validation
- The Future Of PCI – Things To Bear In Mind
There are entire companies founded on, and still making fortunes from, PCI. I can, quite literally, thank PCI for my entire career in security (well, that and Windows), but it’s time we put PCI into the proper perspective, and start spending that money on the only thing that makes sense; staying in business responsibly.
If anyone would like to collaborate of any of these chapters, feel free to reach out to me. Especially encryption!!