We’re not managing it.

This is despite the fact that I have actively sidelined the “achieving compliance” requirement and based all the presentations and conversations I have had about PCI DSS at my company on the “building a maintainable compliance platform” message.

One success I have had is that the company has accepted that to make existing legacy systems (and for that read clunky, undocumented, unmaintainable etc. etc., compliant) was not the issue. Keeping legacy systems compliant would be the real requirement.

They have accepted this so much that they have agreed to completely redesign our payment processing platform from the POS that it is to a nice shiny new isolated system. This project is progressing and one of it’s key deliverables is a maintainable platform (both from the operational and compliance points of view).

The two key aspects for me were a) documented, maintainable systems and b) isolation from the rest of the legacy dung heap. The project _should_ achieve that.

But and this is a big “but”, the one thing I have still to get them to deal with is the ongoing compliance of the new system. I’m still plugging away at the argument but for now they have “parked” the ongoing compliance issue and this is worrying.

We need a compliance function within the Company, this is not looked upon as a good idea because it means increased headcount.

Who is ultimately responsible for Compliance? The acquirer? The POS provider? A gateway provider? It seems our Level 1 clients are not on the same page when it comes to PCI compliance. With October around the corner and fines on the horizon some are getting concerned. Anybody else out there experiencing this?

It is the responsibility of the merchant to get compliant AND stay compliant. The key focus I want to bring attention to here is that, just like APM is learning, the “ongoing compliance” is not attended to.

As we quickly approach the Visa CAP deadlines this year I wonder how many companies are trying to get their nose past the ‘compliance’ mile-marker and how many are focusing on the ongoing maintenance of their security program.

This is a common problem for all IT systems not just PCI compliant systems. The solution is typically process based rather than technology and is typically called Operational Lifecycle Management.

A well documented process was developed by NIST and is called Certification and Accreditation - C&A is oriented towards what needs to be accomplished to ensure systems maintain their security profile (PCI profile or SOX profile or ??)

The downside is that like all aspects of Security and Risk Management most of Senior Management is rarely interested to it. Ongoing lifecycle management takes a strong commitment and is usually as popular as a headcold and is ignored until a threat emerges such as fines or audits.

Maybe ongoing PCI compliance validation will manage to force it to happen but I have a suspicion that it won’t until several business get slapped with heavy fines for non-compliance.

Money has a strange way of making people listen.

Doug

PCI DSS _requires_ the organisation to be compliant all day every day. If a security breach occurs, the investigators will need to be convinced by the organisation that they were PCI DSS compliant at the time of the breach to avoid fines and costs directly associated with PCI DSS non-compliance.

This being the case, the maintenance of compliance really is the key issue. Anyone can become compliant, it’s just a case of doing what the standard (and more importantly, the Audit Procedures questions and testing processes) says you have to do but with that you are just out of the starting blocks.

The real trick and this is where I think a lot of organisations are missing the point, is to remain compliant thereafter.

From Tom Grubb’s post: “…I haven’t heard anyone talk about a holistic approach to PCI – a framework approach that connects all the dots.”

This is exactly the point I’m pushing in my company. We need a compliance function (not just for PCI DSS but shedloads of other legislation and contractual obligations as well) but so far, no dice.

They can’t say I didn’t warn them……..

I’ve been thinking about this some more since my previous post.

I wonder if the reason for the lack of appreciation for the need for ongoing compliance management is down to the make up of the organisations concerned. For the Level 1 and larger Level 2 merchants, it is possible that they have compliance functions within their organisations. Smaller organisations most probably would not have such people / teams and the old “everyone is responsible for compliance…” approach may well be prevalent.

If this is the case, then this could explain why not much consideration is being given. Also, most PCI DSS compliance projects are exactly that, “projects”. Project teams could be approaching this with a view that the complianc delivery date is the end of the project. In that case, ongoing compliance mangement may not get a look in.

Tom is absolutely right. We worked on opposite sides of the world during our time at Vormetric, but regularly visited each other’s offices to compare notes. We all tended to try and use PCI DSS as a driver for our business, because it was a way of pointing to threats, and created an “immovable event” to set sales deadlines to.
I have to say, they had more success with it in the US than we did in the UK and Europe, and that was mainly down to SB1386. Without disclosure we were reduced to looking for events that had adversely affected someone, somewhere, and who had a budget to fix it. No-one really knew about PCI compliance in Europe in 2004 except vendors and resellers. It was needles in haystacks basically.
This just goes to back up what Tom says about PCI being event driven. With or without PCI however, it was the events that drove our business. PCI DSS merely helps define the events, disclosure helps reveal them. So many vendors use this approach, and it seems to be a lot of effort for little return. What we (yes, I’m still a vendor, shoot me now) need is someone to teach the framework so educated customers can choose from a free market of variable quality goods. The market can then weed out the bad and keep in the good. As a vendor of good products (and Product Manager of said products) I am not scared by this approach.
If everyone followed Tom’s advice and used a continuous approach, there would be far fewer issues. As usual, his hardest job is one of getting out there and teaching the lessons.
Good luck Tom, speak to you soon.

Managing the ongoing requirements of more difficult technical requirements of PCI Section 10 and 11 prompted NetBoundary to develop a cost effective solution to address the problem of continuous compliance. Partnering with Loglogic and Tipping Point we have developed a quick to deploy and cost effective managed security services built on the leading platforms for Log Management and IPS. Our Hosted Log Manage Management and IPS infrastructure with 24×7 monitoring is a solution that should be looked at rather than trying to staff and train their own Security Operations Center.