RealTime IT News

Does PCI Compliance Equal Security?

NEW YORK -- The need for regulatory compliance is driving spending on security. Yet is it actually improving security overall?

It really depends on who you ask, according to industry experts from RSA, MasterCard Worldwide, Forrester Research and Depository Trust Clearing Corporation. Representatives from these companies debated the merits of PCI compliance as well as offering suggestions on how to get it implemented during the Interop conference here.

"A lot of people wouldn't do anything without it being a reaction to an incident," said Paul Stamp, senior product manager at RSA. "Compliance leads to security, which wouldn't be there otherwise. So it's a good thing."

That said, compliance coupled with a regulation, such as the Payment Card Industry/Data Security Standard , doesn't necessarily mean that an organization is secure. Khalid Kark, a principal analyst with Forrester Research, argued that a lot of businesses think being in compliance with regulations assures them of security best practices. That's not always the case, he added. However, he added, if you do security well, it could lead to compliance.

Because of the new compliance requirements with PCI this year, Forrester is seeing a bump in spending on security.

The PCI-DSS standards are an effort by the payment card industry to provide a baseline level of security compliance for those that process payment information. PCI-DSS version 1.2 is scheduled to come into effect on October 1st providing additional security provisions.

"PCI is a global standard because fraud is global," Jennifer Mack, a vice president with MasterCard Worldwide, told the audience. "While PCI is a single standard for a global environment, it does allow for flexibility and that's what's in the upcoming standard with extra clarity around the requirements."

Mack also is a member of the PCI Counsel, which actually works on developing industry specifications for PCI compliance. She noted that a primary reason for the PCI standards is the fact that the payment card industry is desperately trying to avoid government intervention in the space.

Furthermore, she argued, the standard is helping a lot of companies avoid data breaches because of their compliance posture.

Mack's declaration drew a swift response from panel moderator John Pironti, chief information risk strategist at CompuCom. He argued that he was aware of breaches of PCI-compliant vendors. Mack, however, responded that in cases where a vendor was fully compliant with every aspect of the PCI standard, there have been no reported issues.

One of the bones of contention between Mack and Pironti was around the role that QSA's (Quality Security Assessor's) play in PCI compliance. It is the QSA that can, in effect, certify that an organization is compliant. But there can be differences between different QSAs and they might be the weak link in failing to identify a particular area of non-compliance.

A key role for QSAs is helping to identify areas of risk, which is where compliance can also serve a starting point for checklist of items to look at.

"On a risk based model you can get more done than just relying on a regulation to get things done," Forrester's Kark said.

Mack responded that a risk-based approach and compliance are not mutually exclusive and they can be used in tandem to secure organizations. That being the case, Mack admitted that PCI-DSS is an evolving standard. On October 1st the next release of DSS 1.2 comes out and then it will be another 24 month cycle until the next one comes out.

"We want input from the community and how it affects you so we can enhance it and make it better," Mack said. "The point is we have to protect data credit card or otherwise. If we don't show we're making progress than we'll have a big problem."