It was hard to brush aside comments made by First Data CISO Phil
Mellinger, who suggested at a recent forum that
the Payment Card Industry's Data Security Standard (PCI DSS) should
be overhauled to eliminate subjectivity, ease restrictions and
help more merchants comply. After all, Mellinger did develop the
precursor to the current standard.
But this week I haven't found many people who agree with him.
During a
panel discussion on identity fraud in New
York Tuesday, I asked a couple financial practitioners if the
rules should be eased to help more merchants comply. Kevin
Dougherty, senior vice president of information services at
Orlando, Fla.-based CFE Federal Credit Union, summed up the
consensus in the room when he said, "It's our responsibility to
meet the bar that's been set."
Many industry professionals seem to share that attitude, if a
recent scan of the blogosphere is any measure.
Let's start with
SearchSecurity.com's own Security Bytes
blog, where we ran some comments from those who have
followed our coverage of Mellinger's talk.
Chris Noell, an executive analyst, CISSP and QDSP, wrote that
Mellinger's suggestion for a simpler standard that rises over time
would have been a good idea at one point, but that given where we
are today, it would be a step backwards.
"Over the last four years, numerous merchants and service
providers have told me that they are reluctant to do anything until
the very last minute because the card brands have a way of changing
their standards, invalidating compliance investments," he wrote.
"Lowering the bar now would just confirm this suspicion and cause
an erosion of credibility. The 35% of Level 1 merchants who are
currently compliant would feel like they had wasted money and would
be understandably bitter."
Rick Hayes wrote that Mellinger is missing the boat on PCI.
"Obviously, there is an issue with merchant compliance," he wrote.
"This is compounded by the fact that generally it takes anywhere
from 18-24 months to actually meet the requirements of the 'dirty
dozen.'"
But, he added, relaxing PCI DSS will not have any effect other
than to increase the likelihood of more data breaches. "It
certainly won't mean that more merchants will become compliant," he
said. "What needs to be adjusted is the timeline, not the
requirements. I don't think anyone in their right mind would or
should argue that implementing such basic tenants of security is a
bad thing. That is really what PCI is about -- basic security best
practices."
The Ambersail infosec blog offered a similar
perspective. It expressed sympathy for organizations the size of
First Data and said compliance must be tough for them. But lowering
the compliance requirements isn't the answer. In the end, the blog
said, PCI DSS compliance demands the types of security procedures
companies should already be taking.
"Compliance is tough for everyone, big and small," the blog
said. "And what we had before was, well, nothing really.
Chaos."
Moin Moinuddin, a self-described industry architect with
Microsoft, wrote in his
ARC Thoughts blog that PCI DSS compliance is
good for a company's security and cost controls.
"For example," he wrote, "a retailer who had never really done
an internal assessment before now did this and [it] resulted in
[the] consolidation of servers in the stores using [a] virtual
server product. So this helps in reducing overall cost of
maintenance in addition to improving security."
The bottom line is that nobody is accusing Mellinger of giving
up on PCI DSS or security. Many people agree the standard could use
some changes. But they also believe companies are having trouble
with PCI DSS because their security programs were lacking to begin
with.
The last thing companies like that need is an easier ride to
compliance.