Wednesday 30 November 2011

Why PCI DSS is good for Information Security

There is a growing consensus within the Information Security Community that the Payment Security Industry Data Security Standard (PCI DSS), is actually proving to be detriment to the general information security across the business. One point regularly made is the Payment Card Industry standard is responsible for diverting precious funding and resource away from the overall business information security strategy, where the breach risks can be much greater for the overall business.  That well maybe the case in larger enterprises which rightly regard best practice information security as a business priority, but consider the medium to small businesses, this is the land where information security ignorance is bliss. Within such SMEs 
PCI can be a real InfoSec wake up call, as in merely attempting to comply with the many PCI DSS requirements, it can provide benefits across the business, where before the business were previously completely unaware of the risks, or perhaps hadn't being treating risks with the proper regard. Forcing them into action to meet the specific PCI requirements, often results in security improvements across the entire business, so not just tightening the security of credit card data in their possession, but personal and confidential information as well.

Love it, Or Hate, PCI does business good

The truth of PCI DSS is most of its laid out 260 odd individual requirements, which set the minimum baseline for PCI compliance, are just best industry information security practices anyway. So businesses are supposed to be doing the lion share of them already. What PCI DSS does in the small to medium business environment (when taken seriously), it forces businesses to take note and ultimately implement these best practices, and in most cases  applying security improvements holistically across the business. For instance measures such as establishing a good patch management process, Anti-Virus deployment and information security policies are applied and benefit the entire business, not just within the cardholder environment, so the business ends up killing many data protection birds with one stone.

Today 90% of the card fraud in the UK occurs within level 4 merchants (the smallest of businesses), specifically due to web application vulnerabilities, vulnerabilities which have been around for over 10 years. Yet if these businesses were PCI DSS compliant, it would be fair to say the majority of these breaches just wouldn't occur This statistic is actually testament to the success of PCI DSS in medium to small businesses, in that larger companies (level 1 to 3), have been chased and forced to address compliance with PCI DSS by acquiring banks, opposed to the highly breached small businesses which have yet to be vigorously chased for compliance, but given the latest fraud stats, they soon can expect to be chased for compliance.

I am not saying PCI DSS is perfect, lord knows it isn't, and I do understand the arguments made by infosec leaders working within larger enterprises, which already focus on information security as a business service priority. But I find it very hard to argue that PCI DSS is not helping medium to small businesses not only protect cardholder data, but to improve their general information security, even if they aren't strictly fully compliant with the standard. As in trying to comply and to meet most of the PCI DSS requirements, it seriously reduces their breach risks, not just of cardholder data, but with the personal data they hold as well.

One final point I want to be crystal clear on, a business cannot be considered PCI DSS compliant if they are not meeting all of the PCI DSS requirements, not just on the date of PCI assessment, but for 365 days a year ,7 days a week, 24 hours a day. The QSA's successful Report on Compliance will not save a business from fines, if a breach were to occur due to the business not meeting just a single compliance requirement. How many businesses are truly compliant in this way is up for debate.