SAN FRANCISCO -- Judging by the buzz at last week’s RSA Conference 2007 here, few data security standards have attracted as much attention — or generated as much angst — inside IT departments as the one being pushed by Visa U.S.A. Inc., MasterCard International Inc. and other credit card companies.
The Payment Card Industry (PCI) Data Security Standard, which prescribes a set of 12 security controls for all businesses that process credit or debit card transactions, has emerged as a leading example of the private sector’s effort to regulate itself when it comes to protecting data.
But at the RSA conference, there was a very mixed verdict on the PCI standard’s effectiveness. Some attendees worried that by stipulating specific controls instead of broad security objectives, PCI may be restricting corporate options. Others argued that the rules are too tough on smaller merchants. And one of the biggest concerns was that the standard is essentially forcing giant retailers, midsize merchants and mom-and-pop shops alike to become IT security experts.
“I see pushback from the information security community,” said Lynn Goodendorf, vice president of information privacy protection at InterContinental Hotels Group’s U.S. subsidiary. “I’m surprised by it, but I do feel that there has been some resistance.”
Goodendorf added that some security managers don’t like the idea of implementing specific technology controls dictated by an external entity.
The PCI standard broadly took effect more than 18 months ago, but many businesses began paying serious attention to the rules only after the credit card companies warned in December that they would begin assessing stiff fines for noncompliance starting next October.
The slow adoption to date reflects the lack of enforcement teeth behind the standards, according to several participants in a PCI roundtable discussion at the CSO Interchange Forum, which was held in conjunction with the RSA conference. Unless enforcement is visible and stringent, the standard is unlikely to win widespread acceptance, some of the roundtable participants said.
Others, though, see PCI as the card industry’s best hope for staving off federal intervention amid growing consumer and congressional concerns about identity theft and fraud resulting from retail security breaches. They also said that telling IT shops exactly what security controls need to be implemented is the only way of ensuring that all the companies covered by the rules understand them.
The PCI standard “is definitely not easy to do, and it’s very time- consuming,” said Deven Bhatt, director of corporate security at Airlines Reporting. Some of the criticism of the standard stems from the perception that it tells companies how to run their businesses, Bhatt added.
But PCI “has done a lot more good than people think,” he said. “The bar had to be raised because of all the breaches that are going on.”
The consensus so far appears tobe that PCI “is a good road map,” said Seana Pitt, vice president of merchant policy and data quality atAmerican Express Co., one of PCI’s proponents. “But there are opportunities for more clarifications.” Pitt chairs the PCI Security Standards Council, a recently created group that’s responsible for developing and maintaining the security standard.
For instance, a frequent request is to find a way to map the PCI controls to established information security standards, such as the ones approved by the ISO international standards body, Pitt said. There are also calls for more clarity on how the PCI council plans to enforce rules compliance.