Organisations that see compliance with the Payment Card Industry Data Security Standard (PCI DSS) merely as a way to keep the payment card companies off their backs are missing a huge opportunity to improve their overall data security program as part of a PCI DSS implementation.
ISO 27001 shows you what to do, but PCI DSS shows you how to do it.
Matthias Hauss, senior consultant at Bonn, Germany-based SRC Security Research and Consulting GmbH, told delegates of the recent PCI Security Standards Council (PCI SSC) European Community Meeting in London that PCI DSS need not be limited to protecting cardholder data, but could be applied to protecting all valuable or sensitive information.
“Some people dispute the value of PCI DSS compliance, and view it as just a new certificate to put on their wall,” Hauss said, “But PCI can be the ideal groundwork for other security ambitions.”
He said companies can save money and effort by exploiting the synergies for data protection between PCI DSS and the need to protect other information, such as personally identifiable information (PII).
This is especially important across Europe where strong privacy laws, as outlined in the European Data Privacy Directive, provide individuals with a clear right to privacy and heavy sanctions for companies that suffer breaches.
PCI DSS also provides companies with a more pragmatic “bottom-up” approach than other, broader “top down” alternatives driven by senior management, such as a company-wide project to gain accreditation for the ISO 27001 security standard. “ISO 27001 risk analysis takes a lot of effort,” Hauss said, “and it requires a corporate-wide commitment, including senior management, which can be hard to achieve.” That may explain why so few western organisations ever complete the process. The current total number of certificates worldwide is around 7,400, with more than half of them in Japan, according to the International Register of ISMS certificates. The total for the UK is 477, and in the US it is 101.
The prescriptive requirements of PCI DSS in areas such as patch management, change management, staff training, server hardening and data encryption can just as easily be applied to all systems in a company, and would deliver a high level of confidentiality, said Hauss. “You would still need to do a risk assessment for the other aspects of security, integrity and availability,” he conceded.
But the real benefit is if companies are obliged to achieve PCI DSS compliance anyway, they might as well extract the maximum benefit from it. “You can exchange the top-down approach (such as ISO 27001) for a bottom-up one that delivers a good security level with less effort,” he said. By starting with PCI DSS compliance, Hauss said, security professionals can then extend the good practice to cover information other than cardholder data. “I see it as collateral gain for PCI, not just compliance for cardholder data, but a real security improvement,” he said.
David Evans, group manager of business and industry for the Information Commissioner’s Office, and who shared the stage with Hauss, endorsed the view. “There is nothing in the PCI standard that doesn’t make sense, so it’s a good idea to use it,” Evans said.
Jeremy King, European director of the PCI SSC, agreed that PCI DSS had a broad role to play. “ISO 27001 shows you what to do, but PCI DSS shows you how to do it,” he said.
The 2011 PCI SSC European Community Meeting attracted more than 500 delegates, nearly twice as many as last year, showing a heightened appreciation of the standard’s importance across Europe, the organisers said.