Date: 1/11/2010Title: How to make PCI DSS a friend and not an enemy of securityWritten by: Dr. Anton Chuvakin
Since most direct-to-consumer businesses accept payment cards today, PCI DSS getsa lot of attention. Such attention is further boosted by massive data breaches of cardholder data. Businesses should use the requirements of PCI DSS to reduce their information risk and not simply focus on reducing the compliance burden.
Payment Card Industry Data Security Standard or PCI DSS was created by the cardBrands in order to reduce the risk of payment card transactions. Due to popularity of payment cards as a payment method for most direct-to-consumer transactions, theapplicability of PCI DSS is nearly universal. At the same time, PCI DSS is one of themost descriptive and specific security guidance documents and available today.Moreover, in addition to security guidance, there is a regulatory regime of enforcementand validation. QSAs, ASVs and acquiring banks serve to ³keep honest merchantshonest ³ and to ³motivate³ other merchants to improve their security. While compliancevs. security debate rages on, PCI continues to move downmarket, affecting smaller andsmaller merchants. As a result, there are calls to use PCI DSS as an underlying security framework, beyondconfidentiality of credit card data. At the same time, the calls I heard that PCI DSSdistracts some organizations from improving their security by focusing on hard-codedcontrols from the document. How should enterprises deal with such dual identity of PCI? How to settle the direct demands of assessors and implicit demands of securitythreats factors?
Before any further discussion of PCI DSS, we have to separate between PCI DSS, thesecurity guidance document, and PCI, the regulatory regime. The former contains 12domains of security recommendations, controls and practices which are mandatory tofollow for those organizations that accept payment cards, process, store or transmitspecific types of cardholder data. The DSS document defines what it means to be PCIcompliant. On the other hand, PCI regulatory regime includes brand specific merchantlevels, defines PCI compliance validation requirements for each level, creates entitieswhich are used for compliance validation (Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASV)) and defines fines and other punishments for merchants who . It is also the worthwhile to separately mention ³PCI security