This is page 2 of:
Is PCI Done?
Speaking of passion, another sign of PCI’s maturity is that a number of the original PCI thought leaders seemed to have lost their passion for PCI. They have moved on. I have the great pleasure to know many of these people, and a couple of them are good friends. Most are still active in the field of information security, but they are no longer QSAs and they are not necessarily working just on PCI compliance. They left for many reasons, but a common thread seems to be that there is not much new in PCI to engage their attention and energies. PCI is no longer sexy for them. Their departure means we have lost some of the energy, enthusiasm and sense of community they brought to QSAs and merchants alike.
The end of PCI has implications for merchants and their QSAs. For one thing, QSAs will need to be more than just assessors. That is, I think more merchants will expect their QSAs to be partners in achieving and maintaining compliance. Such a partnership includes addressing the full range of security and risk issues that affect the business. As a result, QSAs will need to know a lot more about the payment-card business and the merchant’s own business than any amount of PCI Council training can provide.
We can see evidence of this broadening of the QSA’s role in the growing number of Internal Security Assessors (ISAs) who have been through the Council’s training. With more ISAs, external QSA firms will need to provide more than a signature on a ROC if they expect to keep growing their business.
I personally think the spreading of PCI expertise is a great development. It benefits all parties involved and makes the assessment and compliance process easier and faster. But if a lot of the PCI “old guard” are leaving, as I contend, where will we get all these additional QSAs with broad-based business and payment knowledge?
I haven’t got an answer to that one. What worries me is that we may see more QSAs who know security but lack the business experience their clients expect. My first QSA training class had maybe 60 people in it, and I don’t think more than four or five of us had any experience in the payment-card processing business. The rest were sincere, eager and, in my eyes, very green—regardless of the fancy initials many had after their names. Trust me: It may be time to worry when you hear a potential QSA ask, “What is an acquirer?”
One solution to providing the additional expertise might be for QSA firms to hire more people with a retail, payment processing or even consulting background. Or, in a variation on this approach, we might see more QSA teams working on compliance assessments where different QSAs contribute particular knowledge or expertise.
Whatever happens, many others and I will still be here for a while. It may not make too much sense to say this, but even though it is the end of PCI, it is still what we do. What do you think? I’d like to hear your thoughts. Either leave a comment or E-mail me at wconway@403labs.com.
-Marc
April 28th, 2011 at 5:40 pm
All very true, Walt. But with mobile commerce payment solutions a big question mark for PA-DSS compliance for the foreseeable future, you would think that this challenge alone would cause some excitement. No?
May 2nd, 2011 at 7:01 pm
Hi Ernie,
Thank you for the comment. I agree that there will be some activity, but “excitement?” I doubt it. Things like mobile commerce are specific technologies, and these will come and go. The general nature of the PCI framework should allow for new technical developments.
But PCI itself is pretty much at the end of its run as far as being new and interesting. It has well and truly entered the mainstream. I am not saying that is bad, I am saying it reflects maturity of the standard and we are facing — to steal a book title — something like “the end of history” for PCI.