I attended the PCI-SSC community meeting this past week (September 22-24). There were three key issues discussed that showed that the PCI program is maturing and that a number of standards and regulations are converging (both in and outside the PCI world).
The first issue signaled that the council’s view of IT risk is maturing. Bob Russo made it very clear in a couple of his presentations that organizations need to focus on security as opposed to just compliance, although there wasn’t a lot of detail offered on how to do this. The presentations mainly focused on ensuring that complying with the PCI standard is a year-round activity/program and not something just done for the audit. I’d argue that moving from compliance to security is a philosophical shift that occurs when organizations mature in how they deal with IT and business risk. Generally, the financial services organizations within the PCI community get this. It’s interesting to note that the driver for the council’s new views appears to be the very public breaches that have occurred within PCI-covered organizations over the past 18 months. So, the council has felt the impact. The key question is how the council will help the greater PCI community understand and mature their approach to IT and business risk.
The second, closely related topic was the focus on moving to more of a risk-based approach to implementing the PCI DSS. The council was only lukewarm to this idea, and I agree with their hesitation. Managing a risk-based approach may be something that is incorporated over time, but it adds too much subjectivity to the current PCI program. I think that until more organizations fully and truly implement PCI, such an approach will only muddy the waters. That said, incorporating risk as a consideration is important to an organization’s compliance efforts. As I mentioned above, I think the most pertinent issue is to get PCI-covered organizations to understand IT risk and how it translates into risk to their business. While assessors and many of the banks understand this, some merchants are still a ways off in getting to this level of maturity.
The final and much broader issue related to general standards. The council has always relied on NIST as a guideline, but this year there was much more discussion surrounding NIST, FISMA, and future regulations that will impact PCI. In the keynote, former Congressman Tom Davis discussed the process of passing FISMA. His prediction was that any new information security legislation was not going to happen in the near term. Nonetheless, there appears to be a converging consensus on the value of the existing FISMA and NIST standards. The nuclear power industry, NERC, and a number of the ISACs are strongly considering moves and potentially longer-term mandates that use these federal standards as their direct basis. Ultimately, I think it is very likely that many organizations will use significant portions of these federal standards as their basis. This could be both good and bad and is much easier said than done, but simplification and consistency should help all industries and information security in general.
Overall, the conference was a good barometer on the maturity of the PCI community and I think that, although there have been issues, the program is moving in the right direction.