PCIis a subject on which reams have been written already, but
in my recent work I have seen it in a different light. For all the
technical advice given - and to a large extent practiced - the one
thing a project manager should be most aware of seems to be the
thing that is most overlooked: timing. I will even stick my neck
out and say that it has been the difference between success and
failure in every project I have been involved with.
Visa and MasterCard have so far focused most of their attention
on the tier-one merchants - firms that process more than six
million transactions a year. This seemingly arbitrary tiering
basically represents the point on the curve where the card
companies have a "manageable" number of retailers to police - and
now that policing operation is under way. Although there is no
publicly available information about companies being fined in the
UK, a large information processor was recently threatened with
having its transaction-processing rights removed after a
significant breach was made public.
Typically, PCI project managers who I have met have already
addressed the simpler parts of PCI: firewalls, IPS, policy tweaks.
We are now seeing businesses shift towards addressing the more
complex parts of PCI and broadening their search for answers.
Increasingly, hired consultants, suppliers and online reference
materials such as the PCI Answers
forum are being called in to present more creative solutions to
the outstanding issues.
I have been working in data security for some time. I have
touched on encryption on and off to see where the market is over
the years. It took a long time for something I believed to be
crucial to even register as a requirement. When I started working
with PCI in 2001, I thought at least retailers and banks would be
jumping into line and encrypting sensitive data immediately. In
reality, it was only earlier this year that people actually started
to encrypt data in large volumes. When the breaches started getting
bigger, and the fines started being applied, the clients came in
droves, and they are still coming thick and fast.
Encryption takes a long time, the projects are three to six
months long or more in some cases. This really should have been
firms' first port of call - projects could have run in parallel
while the simpler parts were rolled out. They were not to know that
of course, I did not until I actually started installing kit inside
the suppliers themselves. I can encrypt a database in minutes. What
I cannot do is integrate that database with seven different legacy
applications over three different platforms, export it to a
settlement file, pass it to a third party for ad hoc decryption,
and keep control of the keys.
However, now these merchants have finished their projects, they
are breathing a sigh of relief, because they are another step
closer to PCI compliance, and a step further from being fined. This
is something practical that tier two or the remaining tier one
merchants should keep in mind as they become the next focus for the
card companies.
Rob Newby is a freelance security consultant and is a
contributor to the PCI Compliance
Demystified blog.