PCI is a subject on which reams have been written already, but in my recent work I have seen it in a different light. For all the technical advice given - and to a large extent practiced - the one thing a project manager should be most aware of seems to be the thing that is most overlooked: timing. I will even stick my neck out and say that it has been the difference between success and failure in every project I have been involved with.
Visa and MasterCard have so far focused most of their attention on the tier-one merchants - firms that process more than six million transactions a year. This seemingly arbitrary tiering basically represents the point on the curve where the card companies have a "manageable" number of retailers to police - and now that policing operation is under way. Although there is no publicly available information about companies being fined in the UK, a large information processor was recently threatened with having its transaction-processing rights removed after a significant breach was made public.
Typically, PCI project managers who I have met have already addressed the simpler parts of PCI: firewalls, IPS, policy tweaks. We are now seeing businesses shift towards addressing the more complex parts of PCI and broadening their search for answers. Increasingly, hired consultants, suppliers and online reference materials such as the PCI Answers forum are being called in to present more creative solutions to the outstanding issues.
I have been working in data security for some time. I have touched on encryption on and off to see where the market is over the years. It took a long time for something I believed to be crucial to even register as a requirement. When I started working with PCI in 2001, I thought at least retailers and banks would be jumping into line and encrypting sensitive data immediately. In reality, it was only earlier this year that people actually started to encrypt data in large volumes. When the breaches started getting bigger, and the fines started being applied, the clients came in droves, and they are still coming thick and fast.
Encryption takes a long time, the projects are three to six months long or more in some cases. This really should have been firms' first port of call - projects could have run in parallel while the simpler parts were rolled out. They were not to know that of course, I did not until I actually started installing kit inside the suppliers themselves. I can encrypt a database in minutes. What I cannot do is integrate that database with seven different legacy applications over three different platforms, export it to a settlement file, pass it to a third party for ad hoc decryption, and keep control of the keys.
However, now these merchants have finished their projects, they are breathing a sigh of relief, because they are another step closer to PCI compliance, and a step further from being fined. This is something practical that tier two or the remaining tier one merchants should keep in mind as they become the next focus for the card companies.
Rob Newby is a freelance security consultant and is a contributor to the PCI Compliance Demystified blog.