June 22, 2009, 12:04 PM — Recent Congressional hearings [.pdf link] tackled the subject of how well PCI DSS is helping the industry. Both before and since those hearings, myriad industry pundits have spent copious amounts of their time bashing PCI and complaining that is does not work and therefore should be abandoned. And let me tell you firsthand, PCI does not work as of June 2009, and that is precisely the point.
While the PCI-bashing cabal is out in full force, I have found few of them have read the PCI Security Standards Council's Lifecycle Process for Changes to PCI DSS [.pdf link]. Had they done so, they might be singing a different tune. In this document, the Council maps out a long-term pragmatic and strategic plan for PCI compliance.
Therein lays the problem; people don't want to invest in long-term security plans. They want their security band-aid now, despite the fact they have never built security into their designs or processes. Too many of those that have long ignored security just want a security appliance they can deploy to show compliance in advance of the SoX auditors. PCI will have none of that.
In the Lifecycle Process document, the Council creates a detailed and defined 24-month lifecycle with five stages that ensures a gradual, phased deployment and use of the PCI Data Security Standard (DSS). The 5-stages of the process are: Implementation, Feedback, Feedback Review, New Version, and New Version Revision. The Council also noted that they will publish similar lifecycles for the Payment Application Data Security Standard (PA-DSS) and the PIN Entry Device (PED) Security Requirements.
The PCI Lifecycle Process mimics the theme that Ross Anderson developed in his seminal book Security Engineering: A Guide to Building Dependable Distributed Systems. Anderson posits that although most underlying security technologies (cryptography, software reliability, tamper resistance, security printing, auditing, etc.) are relatively well understood, the knowledge and experience of how to apply them effectively is much scarcer.
Anderson suggests an engineering-based approach to solving the problem, not one of simply throwing security appliances at the problem.
PCI gained critical mass with the release of version 1.1 in September 2006. Version 1.2 was released in October 2008. This two-year process restarted with the version 1.2 update. At this point, it is still finishing the market implementation phase as detailed in the PCI Lifecycle Process.
But the overarching issue is that security and good security in particular, takes time. It takes analysis, feedback assessment and understanding. And, once all of that is achieved, an organization needs to repeat it again, as the threats and vulnerabilities are highly dynamic and are constantly changing over time.
The genius of the PCI DSS (and when PCI is compared to regulations such as SoX and GLBA, genius is indeed an appropriate term) is that it has sensible concepts such as an open formal feedback process, trend analysis, impact evaluation, guidance and much more built into the very fabric of the standard. PCI takes a long-term, pragmatic and holistic approach to the problem it is attempting to solve. Compare that with SoX, which Congress ramrodded into law as a kneejerk reaction to the Enron/MCI debacles.
As to the question is PCI a short-term fix? The answer is of course it isn't. It's absurd to think that PCI in two years can magically obviate decades of security apathy. The bona fide plan for the PCI DSS as detailed in the PCI Lifecycle Process is a multi-year effort.
Take something as obvious as keeping illegal drugs out of prisons. If we were to create additional laws against that today, how long would it realistically take prison wardens to rid their penitentiaries of these illegal substances? Can we expect computer security professionals to deal with management and other issues and try to fix insecure merchant systems, and to do that faster than prison guards with vicious dogs and high-caliber rifles?
The truth is, we can't answer the question is PCI working or does it work, without defining what we mean by working. It is imperative to remember that PCI is a long-term strategic solution, not a short-term security fix. So has security improved? Are more organizations realizing their responsibility to protect card holder data? Are consumers furious that identity theft is affecting them directly? To answer all 3 question, as they say in Texas, heck yeah.
Good security takes time. The PCI Security Standards Council understands that. Security professionals understand that. Shouldn't everyone else?
Ben Rothke CISSP, PCI QSA (firstname.lastname@example.org) is a Security Consultant with BT Professional Services and the author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill Professional Education) .