PCI Standard vs. 1.2: What Do We Anticipate?
The wait for the next PCI standard revision is almost over. Like so many companies, we really want a sneak peek at the newer version. And like so many companies, we’re waiting until the PCI Standard Community meeting in September to see it. Is it going to encompass major changes that are going to cause retailers to choke? I don’t think so.
The PCI Security Standards Council has been consistent with its guidance and public statement—no major overhauls to the standard, no new requirements added, but better clarification of some areas, and increased consistency with the interpretation of the requirements by QSAs. If we look at some things the council has done in 2008, they’ve already given us a few sneak peeks.
The PCI council released two information supplements in April, one on 11.3 Penetration Testing and one on 6.6 Web Application Firewall and source code review. We shouldn’t be surprised to see more details in the new standard around these areas. Both of these supplements give more clarification and guidance.
The PCI council also created special interest groups (SIG) to focus on specific areas of the standard. One of these is the wireless SIG. This is a good idea, and I hope to see advancements on the wireless side of the standard. Requiring companies to check once a quarter for wireless devices can be improved significantly. Once a quarter? That’s saying the bad guys have a chance to get caught once every 90 days. I’d like those odds improved a bit in our favor. Advice on what to do if a rogue access point is found would also help.
Overall, I will say I’m a fan of the PCI standard. If you compare it with other compliance regulations, you have to like it. The PCI standard is 17 pages long, written in English. And it gives the message clearly and concisely. It’s a good way for a company to create a security best practice foundation in their organization. An alternative is to use ISO 27001 or other frameworks and read through hundreds of pages written in legalese, and you’re still not quite sure what to do next. Give me PCI any day. It builds a good, strong foundation. Does it guarantee strong security? No, of course not. If it got that inflexible, everyone would complain that they couldn’t implement it. You can’t blame a weaker security posture on a compliance regulation. That’s like saying you blame the car when you run out of gas, obviously ridiculous.
The PCI standard is also a global standard that spans many industries beyond retail. With this, the PCI standard still hasn’t required major changes. Those are clear signs of best practice guidelines. So, the wait is almost over, and I for one am hoping it’s a bit underwhelming and not so exciting.
Terri Quinn-Andry is responsible for compliance solution development at Cisco Systems, Inc.
Tags: , cisco, cisco systems inc., Electronic Retailer, pci compliance, pci security standards council, pci standard, retailers, terri quinn-andry
September 10th, 2008 at 3:10 pm
Nice article. I particularly like your statement -
‘Does it guarantee strong security? No, of course not. If it got that inflexible, everyone would complain that they couldn’t implement it. You can’t blame a weaker security posture on a compliance regulation. That’s like saying you blame the car when you run out of gas, obviously ridiculous.’
I agree wholeheartedly; however, the difficulty is often explaining to CIOs and CFOs that spending money on security that goes ‘beyond’ the PCI standard can be difficult. I have conversations with some very large retailers in my daily work and sadly, PCI has often been ‘accepted’ as the standard to which they should execute.
Getting retailers to understand that spending the money and resources to implement ’secure’ environments that go beyond PCI (but which will ultimately still be susceptible as that environment is changed and threats change) is the smart thing to do can prove difficult. And I’m not pushing a product….