What is PCI all about?
Filed Under (PCI DSS) by Michael Dahn on January-29-2008

einstein.jpg<annual soapbox> This seems to come up every year, or perhaps that’s only the frequency that I address it. It seems everyone has their own view about what PCI compliance is meant to accomplish.

Martin, a friend of mine, writes that PCI is about transferring risk and not mitigating it. This implies that the acquiring bank somehow has the ability or responsibility to prevent a merchant from loosing your credit card number. This is entirely wrong. The heart of the PCI DSS is about mitigating the risk of a direct attack on the cardholder data. I think the one thing we both agree on is that it’s the responsibility of the person closest to the data to protect it - and this just happens to be the merchant in many cases.

Alex, as usual, is pushing the ISMS philosophy - and here’s the kicker, I agree. For companies, especially larger ones, you need to use a risk based approach towards compliance, in the same way that you use it for security. (Remember that compliance is a ‘bare minimum’ while security is however much at or above that line that you define it to be.) PCI is no different that the security best practices people have been leveraging for years. Where people get tripped up is when they remove the risk factor and focus too deeply on the precise wording of every requirement. You can loose sight of the forest while looking too closely at the trees.

When people say “PCI is about ______, and should instead be about _____” they are usually agreeing with me but have only yet to see it.

You see PCI is all about preventing the electronic and paper theft of cardholder data. That’s it. And however you accomplish this task is exactly what you need to do for compliance. Some people will ask, “But what about the checklist of items?” Well, if you are properly protecting the cardholder data then you are probably adhering to almost all of the PCI DSS requirements. If there are some that don’t fit your business model, you are probably very close to leveraging other controls you have internally as compensating controls.

If you are not protecting the cardholder data then you are not adhering to PCI DSS compliance. It’s really that simple. And that is why most others are in agreement with each other, but just approaching the problem from their own method of analyzing risk and securing the data.

Ok, you ask, but isn’t PCI about “just enough” security? Yes. It’s about just enough security to protect cardholder data. PCI is not meant to bake you bread or do anything other than protect cardholder data.

Popularity: 18% [?]

   Read More


Comments
Alex on January 29th, 2008 at 2:09 pm #

I’m really hoping that those in charge of developing acceptable audit methodologies for PCI will begin to pursue a qualitative (or, better yet, quantitative) methodology for expressing ability to manage risk. That’s what it’s all about, right? Is the company in question managing risk acceptably or not.

Michael Dahn on January 29th, 2008 at 2:37 pm #

Alex, I agree that what we need to focus on is managing risk. I always say that for some companies the PCI DSS requirements may fit them perfectly, while other companies may need to map their business processes and risk management back to the requirements (instead of the other way around.)

Metrics, Key Performance Indicators & Risk & Risk Management | RiskAnalys.is on January 30th, 2008 at 11:49 am #

[...] “quals” too, look for KPI’s of their own.  After all at the heart of the “checklist vs. risk” debate is the simple question - “What really  is a useful Key Performance Indicator for [...]

Andrew Hay » Blog Archive » Suggested Blog Reading - Sunday February 3rd, 2007 on February 3rd, 2008 at 4:44 am #

[...] What is PCI all about? - Ever wonder what this “PCI thing” was all about? This seems to come up every year, or perhaps that’s only the frequency that I address it. It seems everyone has their own view about what PCI compliance is meant to accomplish. Martin, a friend of mine, writes that PCI is about transferring risk and not mitigating it. This implies that the acquiring bank somehow has the ability or responsibility to prevent a merchant from loosing your credit card number. This is entirely wrong. The heart of the PCI DSS is about mitigating the risk of a direct attack on the cardholder data. I think the one thing we both agree on is that it’s the responsibility of the person closest to the data to protect it - and this just happens to be the merchant in many cases. [...]

Network Security Blog » PCI is just the beginning of security on February 27th, 2008 at 7:54 am #

[...] PCI DSS is about risk mitigation (or risk transference, depending on your point of view).&nbsp; It list a minimum set of [...]

Post a comment
Name: 
Email: 
URL: 
Comments: