PCI DSS 2.0 - better but still needs to step up

The new PCI DSS 2.0 specification is now on the horizon, with a release date just a number of weeks away. There were a few interesting tidbits in the Computerworld article, and a few disappointing areas where PCI is not taking a position on real-world security problems and initiatives. There are still gaping holes in PCI so IT and security teams will have to use their own best judgment in balancing requirements for securing their business, complying with PCI, and controlling expenses.

On the positive side, the PCI folks are to be commended for respecting the budgetary constraints of affected businesses. I have found the leading reason why companies draw the line at remaining partially compliant is the prohibitive costs in equipment, products, and people to administer it all. To PCI's credit, they do not seem to be recommending new technologies, and the approach of detecting where regulated data resides in the infrastructure can help enterprises limit the scope and costs of PCI compliance. The silver bullet for PCI compliance is to reduce, or eliminate, the handling of regulated data in the first place - the old shrink the risk surface strategy works with credit card data.

On the negative side, PCI requirements that are not specific to credit card processing are expected in PCI DSS 2.0. Suggesting organizations use DLP instead of actively searching to find regulated data in the far corners of their network is questionable, and mandating centralized logging instead of secure logging requirements is dubious (especially with cloud-based applications). Sometimes a little more "what to do" is better than more "how to do it" because not all products or solutions are best for all businesses.

Unfortunately, I understand that PCI DSS 2.0 is not planning on clarifying recommendations for new strategic approaches such as server and desktop virtualization, tokenization of regulated data, end-to-end encryption of card holder information, or even use of cloud-based applications. That is a shame, since organizations probably need more guidance there than in determining what makes a strong password. While technologies such as tokenization and encryption cannot assure 100% security (the data has to be in clear-text at some point and the keys to the kingdom have to be protected in addition to the data), they clearly reduce the risk of data loss of credit card and identity data. Enterprises are on their own in deciding how to apply the principles of PCI data protection (e.g. segregation of regulated data) when reducing costs with virtualization or cloud computing, or reducing PCI exposure with tokenization and encryption. However, organizations need to embrace these approaches to remain competitive and improve the technical underpinnings of their business. Tokenization and encryption of card data at the swipe, delivered as a service or an installed product, makes sense to me as means for merchants to reduce the costs of compliance - perhaps VISA's guidelines  can be used if PCI is not yet ready to step up.

Copyright © 2010 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon