Achieving PCI Compliance, How Is This STILL A Mystery!?

I provided my first PCI guidance way back in 2005, and my first on-site assessment was in 2006. Since then I have performed dozens of on-sites across the globe, my last one in 2009. Until December 2012, I ran teams that delivered PCI assessments across EMEA and APAC, all of whom followed a proven methodology that took all the guesswork out of how to achieve compliance, and STAY compliant.

Over the last few months, my changed circumstances have led me back into the PCI weeds, and frankly, I am more than a little disappointed. The payment card industry is no closer to ‘getting it’ than they were 8 years ago, and the guidance provided by a significant portion of PCI professionals leaves a lot to be desired.

After >8 years, the industry SHOULD be integrating their PCI assessment processes into some form of overarching security framework, re-certification SHOULD be nearing business as usual, and QSA quality should have improved.

They’re not, it’s not, and it hasn’t respectively.

I have written several articles on the major issues with the DSS, and what to do about them, I have stated more times than I probably should that the problems begin and end with the CEO, and I have repeatedly quoted my tag-line;

“Security is not easy, but it can be simple.”

I even wrote white papers on How to Sell Security (and therefore how to BUY security), and Selecting The Right QSA For Your Business in an effort to help standardise and optimise the most important step towards compliance; asking for help.

For some reason this has not had the industry changing effect I had expected. Surely my 18 subscribers – 4 of whom are family members – should have had a bigger impact than this!? [uncomfortable silence]

I have said for a few years now that I should put all of my experience into a PCI self-help book. Well, now I’m going to. Not all at once mind you, I’m going to write each chapter as a stand-alone ‘white paper’ over the course of the next few months, and will request your feedback on each. When they are as polished as they are going to be, maybe I’ll try to get it published, but I’ll still give it all away here on my blog.

I will also include any tool-sets I use to conduct an assessment (plus samples / examples), and I will provide options for free-ware / cheap-ware tools that I have seen be of some use. I will NEVER recommend anything, and only offer up options upon which you must perform your own due diligence. I may highlight my OWN preferred solutions, but the choices, and therefore responsibility, will always be yours.

These are the chapters I have in mind, and in this order:

  1. So You Want To Be PCI Compliant? (a.k.a. Buy Nothing Until You Read This!)
  2. Biased Perspective – What The PCI DSS Is, And What It Can Never Be
  3. Prepare Your Organisation (i.e. Your CEO) For The Assessment
  4. The Assessment Pre-Requisites
  5. Report on Compliance Executive Summary – If You Can’t Write This, Start Again
  6. DSS Requirement 1 – Networking Stuff
  7. DSS Requirement 2 – System Configuration Stuff
  8. DSS Requirement 3 – Encryption Stuff
  9. DSS Requirement 4 – More Encryption Stuff
  10. DSS Requirement 5 – Anti-Virus Stuff
  11. DSS Requirement 6 – Vulnerability Management, Change Control, Secure Coding Stuff
  12. DSS Requirement 7 – Access Control Stuff
  13. DSS Requirement 8 – Password Stuff
  14. DSS Requirement 9 – Physical and Back-Up Stuff
  15. DSS Requirement 10 – Logging Stuff
  16. DSS Requirement 11 – Testing Stuff
  17. DSS Requirement 12 – Policy, Training & Incident Response Stuff
  18. Compensating Controls
  19. Validation and Evidence Collection
  20. The Holy Grail of Security, Continuous Compliance Validation
  21. The Future Of PCI – Things To Bear In Mind

There are entire companies founded on, and still making fortunes from, PCI. I can, quite literally, thank PCI for my entire career in security (well, that and Windows), but it’s time we put PCI into the proper perspective, and start spending that money on the only thing that makes sense; staying in business responsibly.

If anyone would like to collaborate of any of these chapters, feel free to reach out to me. Especially encryption!!


13 thoughts on “Achieving PCI Compliance, How Is This STILL A Mystery!?

  1. Hi, I have a question related to remote access and scoping out.
    1. Are user based certificates treated as 2nd factor of authentication? If yes, why?
    2. How 2 factor authentication helps us to scope those users out? what is restricting factor?

    • Hi Suryaji, many thanks for your comments.

      To answer you questions;

      1. Are user based certificates treated as 2nd factor of authentication? If yes, why?

      [DKF: Surprisingly, the answer is – that depends. A certificate on your computer combined with username and password are something you have, and something you know respectively. So yes, ‘user based certs’ are 2FA, if configured correctly, but only verification can determine if that’s the case.]

      2. How 2 factor authentication helps us to scope those users out? what is restricting factor?

      [DKF: 2FA does not take either the user, or the device they are using out of scope. The intent of 2FA is to enhance the authentication required to access in-scope systems from an untrusted network (like a home for example). DSS v2.0 Requirement 1.4 applies to the remote device, as does a/v, access control / password / etc stuff. The best way to compensate for a LACK of 2FA and partially de-scope remote devices is to install an admin jump server in a trusted management subnet and route all remote access to in-scope systems through it.]

      Hope this helps.

      • Hi, This helps. We advise the same practice but just wanted to hear your inputs in case there is another way out of it.


  2. I would love to help! I’m going slightly mad with PCI in my company! A lot of people talking of PCI and in the end no one knows a dime.

  3. Hi David,

    Just come across your blog. Very interesting. As a QSA almost as long as you (2006 if memory serves) I recognise many of the things you say. If you indulge in peer review then I would be happy to assist.

If you think I'm wrong, please tell me why!

This site uses Akismet to reduce spam. Learn how your comment data is processed.