I'm really just tired of two things. First, all the marketing hype the vendors are putting out there about how their products are going to magically make you compliant with PCI DSS. Secondly, all the differing opinions about what it takes to be compliant with this regulation are getting old too. There are books, whitepapers, seminars, scanning services – you name it. If you need to comply with PCI DSS there's a self-proclaimed expert on every corner out there who wants to help.
Since you're reading this, PCI DSS probably affects you and your business in some way. As with many organizations, it's likely in the context of Web security. Well, if so, you're in luck. Here's the lowdown on what PCI DSS is all about. First off, there's this security scan requirement in PCI DSS that everything seems to be revolving around. In doing security scans myself I'm here to tell you that security scans aren't everything. I can't tell you how many businesses I come across that vouch they're secure or compliant just because they've had some PCI-certified scanning vendor to run a quick scan and tell them everything's OK. It's not that simple. I've used some of these very tools that the vendors are saying will find vulnerabilities in your applications and point out where you're out of compliance with PCI. I've seen them not find any flaws at all while, at the same time, another vendor's tool uncovers cross-site scripting, SQL injection, and so on. Do your homework before buying into companies that tout "Web scans for PCI compliance". If you show me a Web application out there that doesn't have any vulnerabilities I'll show you an application that hasn't been tested in the right ways.
Relying on scans alone is one thing. Hiring a PCI Qualified Security Assessor (QSA) is something else. You'd think they'd find everything that counts but it's not that simple. Information systems – especially Web applications – can be extremely complex and even the best QSAs out there may not uncover everything that matters. Just ask Heartland Payment Systems. This is especially true if the people doing the assessments are just out of grad school and don't have a good mix of skills to know what to look for.
Another thing is that you're probably not going to have PCI police knocking on your door. No one's going to jail over failing to comply with PCI DSS. After all it's an industry regulation – not a law. That said all it takes is one breach of your payment-related systems to get your business in a real bind. A business that loses credit card processing privileges in today's world is destined to take a big hit.
Finally, PCI DSS is nothing more than a set of solid information security practices bundled up in a neat little package that's being pushed as yet another separate component of compliance you have to deal with. Don't fall for this. You shouldn't focus on PCI DSS in a standalone fashion if your business falls under the scope of other regulations such as HIPAA, GLBA, SOX, and so on. Odds are it does. Work with your compliance officer, or if you're like many other IT professionals and you are the compliance officer, try to get a handle on what other regulations your business is up against and focus on "information security" as a whole. This will allow you touch all of the important areas (risk assessment, policies and controls, visibility, automation, and so on) so you can kill two, or three, or four birds with one stone rather than addressing each regulation on its own. This is all the same stuff folks.
Getting your compliance priorities in order is absolutely necessary. Just don't pour all your energy and money into security for the sake of compliance. Even though PCI DSS is a regulation with explicit requirements, you have to temper it with some good old-fashioned common sense – for that's the stuff smart security consists of.
About the author: Kevin Beaver is an information security consultant, expert witness, as well as a seminar leader and keynote speaker with Atlanta-based Principle Logic, LLC. With over 20 years of experience in the industry, Kevin specializes in performing independent security assessments revolving around compliance and managing information risks. He has authored/co-authored seven books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). In addition, he's the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at www.principlelogic.com.
This was first published in August 2009