The Two Scenarios Coming From The PWC PCI Report
Written by David TaylorColumnist David Taylor is the Founder of the PCI Knowledge Base and former E-Commerce and Security analyst with Gartner.
At the PCI SSC Community Meeting last week, the biggest highlight was the presentation of a report the group sought from PricewaterhouseCoopers (PWC). The first presentation of the PWC report of PCI Emerging Technologies made it clear that by expanding the technological scope of PCI DSS, companies will be able to reduce the scope of their PCI compliance efforts. High priorities over the next year will be end-to-end encryption, tokenization and virtual terminals. But is it safe to act now?
It’s clear that Fortune 1000 merchants still enjoy their distaste for PCI DSS and their distrust of the process. And it’s fair to say that many merchants actually hate the PCI standards and their purveyors. At last week’s meeting, the Standards Council and the card brands attempted to embrace their detractors via the oft-repeated “we want your feedback” refrain. The response? The merchants in attendance were generally well behaved in public (perhaps they fear reprisals), and there were no reported fistfights, as much fun as that would have been.
I think one of the reasons for the less-than-hostile response was the PWC report itself, which was the highlight of the event. The report made it clear that the SSC (and, presumably, the card brands) were open to making some much-needed changes to the standards. Most of the changes that seem likely in the near term will involve embracing some increasingly popular security approaches that focus on reducing the scope (footprint) of credit card data in the typical organization.
The consultants at PWC began with an analysis of 12 security technologies that emerged from 160 interviews with industry players, and then narrowed the list for their “deep dive” investigation to several that they concluded had the best potential to be automated, could be integrated with existing infrastructures and could have a meaningful potential impact on PCI scope, rather than being treated simply as compensating controls. The three technologies they chose were end-to-end encryption, tokenization and virtual terminals, all of which have the potential to significantly reduce the size and scope of the credit card data environment in most companies and, thereby, reduce PCI compliance management costs and security breach costs.
The implications of the PWC report as they are integrated (in a to-be-determined way) into the PCI SSC will challenge the security strategies and architectures of most Fortune 1000 companies. Essentially, all three approaches PWC studied are focused on shifting the storage of credit card data outside the enterprise. That’s outsourcing. Not the most popular term in large IT shops, which have spent millions of dollars on enterprise security programs–“defense-in-depth” security architectures to protect confidential data, of which credit card data is but one type. Even as the corporate IT security philosophy aims to “protect digital assets,” merchants have been extremely vocal at the CEO and CFO levels about not wanting the credit card data on their systems. So how will the PCI SSC and merchants respond to these conflicting priorities? There are a couple of distinct scenarios.
October 1st, 2009 at 9:16 am
I too attend the PWC presentation at the PCI Community meeting last week and found it to be a complete waste of time. The PCI Council has been pointing to this study and saying we should wait for the results until they would answer any questions related to scoping, tokenization and end-to-end encryption.
Well we waited for the study and in my opinion didn’t get any more information than we already had from reading the articles that have been posted over the last six months on these same topics. PWC just simply published the same data that other sources have been discussing for some time now.
A better question to ask is why does the PCI council even need PWC? If the PCI Council has a Technical Working Group (TWG) and a Chief Technology Officer (CTO) in Troy Leach shouldn’t these people be able to research these technologies and determine what the recommended solutions should be for merchants. Based on what I saw at the community meeting, neither Mr. Leach nor the TWG are technical enough to evaluate these technologies. So merchants continue to wait for guidance from an unqualified group of people as to how to protect their credit card data.
Organizations have tried to reach out to the PCI Council for answers but the emails we submit take two to three months for an answer and then we receive “talk to your QSA” as a response. We tried to ask questions at the community meeting but were told that “they could not comment on specifics”. This group simply does not have the technical knowledge or background to guide the PCI standard in the right direction!
October 1st, 2009 at 10:10 am
For the last 2 years, a consistent them at the community meetings has been the conflict between “the standard is too vague” and the “the standard is to explicit”. It’s a legacy problem with roots in the evolution of Information Security standards
In the Info Sec world, there is usually a policy hierarchy. The old ESF/ISF formula dictated a “Policy > Standard > Baseline > Procedure” approach. There was only one high-level Info Sec policy, accompanied by a few, slightly more detailed Standards (i.e “Data Classification Standard”. Baseline Controls defined the standard control set for a specific technology (i.e. UNIX baseline) and Procedures gave step by step instructions for implementing the baseline (think “Account Request” process).
The PCI DSS is indeed a standard. It is a high-level document, relatively static, that is more oriented towards “what” than “how”. Given the issuing body and the audience, it’s probably the best level form which to approach the issue. It leaves the freedom to develop the “baselines” and “procedures” in the hands of the implementers (where it belongs).
The PwC study is the first foray into “how” for the PCI SSC, and a response to member input into requests for greater detail in that area. It’s also quite probably as far as the Council will be willing to go in that direction. I suspect the council will pursue their historic course of action in this regard. These technologies will be treated like tokenization, with the implementation left up to the merchant and validation left up to the QSAs.
Specific, published guidance will likely be derived from PCI SSC Special Interest Groups (SIGs). The Wireless and Pre-Auth SIGs have been quite productive, and the Virtualization and Scoping SIGs are making progress. I would not be surprised to see SIGs spring up surrounding these study topics, with guidance forthcoming in 2010. But I’ve been wrong before……