PCI Debate Ignores Planned Improvement Cycle
Recent Congressional hearings [.pdf link] tackled the subject of how well PCI DSS is helping the industry. Both before and since those hearings, myriad industry pundits have spent copious amounts of their time bashing PCI and complaining that is does not work and therefore should be abandoned. And let me tell you firsthand, PCI does not work as of June 2009, and that is precisely the point.
While the PCI-bashing cabal is out in full force, I have found few of them have read the PCI Security Standards Council's Lifecycle Process for Changes to PCI DSS [.pdf link]. Had they done so, they might be singing a different tune. In this document, the Council maps out a long-term pragmatic and strategic plan for PCI compliance.
Therein lays the problem; people don't want to invest in long-term security plans. They want their security band-aid now, despite the fact they have never built security into their designs or processes. Too many of those that have long ignored security just want a security appliance they can deploy to show compliance in advance of the SoX auditors. PCI will have none of that.
In the Lifecycle Process document, the Council creates a detailed and defined 24-month lifecycle with five stages that ensures a gradual, phased deployment and use of the PCI Data Security Standard (DSS). The 5-stages of the process are: Implementation, Feedback, Feedback Review, New Version, and New Version Revision. The Council also noted that they will publish similar lifecycles for the Payment Application Data Security Standard (PA-DSS) and the PIN Entry Device (PED) Security Requirements.
The PCI Lifecycle Process mimics the theme that Ross Anderson developed in his seminal book Security Engineering: A Guide to Building Dependable Distributed Systems. Anderson posits that although most underlying security technologies (cryptography, software reliability, tamper resistance, security printing, auditing, etc.) are relatively well understood, the knowledge and experience of how to apply them effectively is much scarcer.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
pci
Powered by Twitter
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
