I was reading an article recently about what auditors really think about the security and compliance requirements that they test for when doing a PCI DSS compliance audit. I was more than a little surprised to read that over 60% of the 505 auditors in the study referenced said the organizations they audit don’t believe compliance improves their data security effectiveness. I’m a bit perplexed by that. After all, there are only 12 requirements in the PCS DSS specification, and they seem pretty straightforward and simple to me.
Well, it appears that it may not be as simple as the “only 12 requirements” may lead to you believe. For instance, the size of the facility and the quantity of transactions determines your validation requirements. So, is the problem here that the validation process is too difficult and cumbersome?
Let’s look a little further. If you consider a county agency, a Level 4 merchant, the validation requirements are minimal. However, what is the cost of building out your network to get to that level of validation? Hmm, maybe we’re on to something here. Now, if you consider a Level 1 merchant, like the United States Post Office, with kiosks and online postal services, you can see how the costs go up dramatically. Or, how about the military, with PX stores all over the world. Now we’re getting somewhere.
Developing and deploying an infrastructure that is PCI DSS compliant, manageable and cost effective is no easy task. Particularly if you are on the scale of a national or global organization that transmits, processes and stores credit card data. The network, applications, endpoints, data stores all have to be considered when deploying security. In addition, merchants of this size need to complete an Annual Report on Compliance by a Qualified Security Assessor, complete a quarterly network scan by an Approved Scan Vendor, and file an Attestation of Compliance Form. Okay, now I see why PCI DSS is not for the faint of heart. And, as soon as you figure it out, the standard changes. If you could use some help with the new PCI DSS 2.0 changes, you might want to listen to a recorded webinar from December 7 called “Implementing New PCI DSS 2.0 Standards”.
For those that are familiar with the PCI DSS standards, I’d like to find out how you really feel. Do you agree with the auditors belief statement that most feel compliance does not improve your security effectiveness? Is it overly complicated, missing the mark? Please let me know your thoughts. I’ll provide some additional information and updates in a later post.