Q&A: Head of PCI council sees security standard as solid, despite breaches
GM Bob Russo defends payment card rules but acknowledges that 'interpretation issues' remain
Computerworld - The PCI Security Standards Council was established by the major credit card companies in September 2006 as an independent organization to manage the Payment Card Industry Data Security Standard. In an interview with Computerworld, general manager Bob Russo talks about the council's efforts to administer the PCI standard amid continuing concerns about credit and debit card security. And he defends the standard, despite the recent data breaches at Hannaford Bros. Co. and Okemo Mountain Resort.
What has the PCI council been up to? I started in 2007. My job in the first year was basically to brand the council. I think we did a reasonable job of branding the council and getting everybody to know what we are doing, and getting everybody to know the standard. My mouth wrote a lot of checks in 2007. So 2008 is when we have to start cashing those checks. Right in the first three months of this year, we have already begun to do this.
At the beginning of this year, we issued the PIN Entry Device standard. Then we released a new self-assessment questionnaire. That was the direct result of feedback from our stakeholders from the industry, from small merchants who said we can't answer 207 questions (which is the number of questions in the standard SAQ). So we broke up the SAQ into five distinct versions specific to what people are doing in terms of their businesses, down to where in some cases, you only have to answer 11 questions in order to get compliant.
This month, we are releasing the payment application standard. June 15 is when [PCI Section] 6.6 goes into effect (relating to Web application firewalls). September is when we are going to be releasing the next version of the data security standard.
What can you tell us about the next version? I can't really say if it's going to be a revision or if it's going to be a new version number. But there's going to be a lot of clarifications and a lot of guidance in it, because we still get questions about ambiguity.
One of the areas that will be touched on is probably wireless. There will be some updates. I can't tell you any specifics on what the updates are. But there will be some updates in the wireless area and probably in the application area and the preauthorization area as well -- but not so much that it's going to change the way you do business. Of course, if a major change has to be made, and if it puts people out of compliance, then we will make it a best practice for a certain period before making it a requirement.
We are also starting a QA program for our qualified security assessors. Right at this point, we are at the beginning stages. We'll probably begin the program sometime in the second quarter, and by the third quarter, we should be in full swing. We get a lot of questions from merchants about, "Why is this company charging $50,000 and why is this guy charging only $10,000? There has got to be something that one of them is doing differently." We are making sure everybody is on a level playing field, above and beyond what we already do. We already vet these companies, we make sure that they go through our training, make sure they are tested, make sure they are requalified every year. So it's above and beyond all this.
What PCI controls do people find most ambiguous? There's a lot of disagreement over compensating controls. Right now, people think that if they are not doing what the standard says, they have the ability to come out with a compensating control. Well, you do have the ability to do that. But a compensating control has to be both above and beyond what the standard calls for. The standard is the baseline. If you have a compensating control you want to submit, it has got to be above and beyond what the standard is calling for.
There are interpretation issues as well -- interpretation by the QSAs, interpretation by the merchants, interpretation by the brands. For some of the larger merchants that have been around for a while, you are talking about legacy systems that have been running their business quite well for 15 to 20 years. To try and retrofit these legacy systems with security is not an easy thing. It's easier to build a brand-new application and build the security into them right now than it is to take a legacy system and build in new security. The very last thing you want to do is break your business. So these really are the biggest concerns that merchants have.
Why aren't the Big Four accounting firms among your list of qualified assessors? They were at one point, weren't they? They had some liability issues that they weren't ready to sign up for. They look at it and say, "This is a small company here which is a QSA. Maybe it's a $2 million or a $3 million or a $10 million business, and here we have a multibillion-dollar business. Our liability is a lot worse." We are doing a couple of things behind the scenes to see if we can rectify that.
- Securing Mobility, From Device to Network At one time, the process of managing and securing mobile devices and applications was fairly straightforward. Most organizations worried about one application (email)...
- Data Protection eGuide In this eGuide, CSO and sister publications IDG News Service, Computerworld, and CIO pull together news, trend, and how-to articles about the increasingly...
- Warning: Cloud Data at Risk Experts agree that relying on SaaS vendors to backup and restore your data is dangerous. Yet that's exactly what huge portions of the...
- The Opportunities and Challenges of the Cloud In this report F5 poses questions to IDC analysts, Sally Hudson and Phil Hochmuth, on behalf of F5's customers to better understand the...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Live Webcast IBM FlashSystem V840: Leveraging Software-Defined Flash to Drive Your Business With end-to-end, tightly integrated functionality and super-fast flash technology, products like IBM FlashSystem V840 Enterprise Performance Solution empower businesses to leverage the efficiency...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.