Why We Need PCI-DSS to Survive
Posted June 9th, 2009 by rybolovAnd by “We”, I mean the security industry as a whole. And yes, this is your public-policy lesson for today, let me drag my soapbox over here and sit for a spell while I talk at you.
By “Survive”, I mean that we need some kind of self-regulatory framework that fulfills the niche that PCI-DSS occupies currently. Keep reading, I’ll explain.
And the “Why” is a magical phrase, everybody say it after me: self-regulatory organization. In other words, the IT industry (and the Payment Card Industry) needs to regulate itself before it crosses the line into being considered for statutory regulation (ie, making a law) by the Federal Government.
Remember the PCI-DSS hearings with the House Committe on Homeland Security (AKA the Thompson Committee)? All the Security Twits were abuzz about it, and it did my heart great justice to hear all the cool kids become security and public policy wonks at least for an afternoon. Well, there is a little secret here and that is that when Congress gets involved, they’re gathering information to determine if they need to regulate an industry. That’s about all Congress can do: make laws that you (and the Executive Branch) have to follow, maybe divvy up some tax money, and bring people in to testify. Other than that, it’s just positioning to gain favor with other politicians and maybe some votes in the next election.
Regulation means audits and more compliance. They go together like TCP and IP. Most regulatory laws have at least some designation for a party who will perform oversight. They have to do this because, well, if you’re not audited/assessed/evaluated/whatever, then it’s really an optional law, which doesn’t make sense at all.
Yay Audits photo by joebeone.
Another magical phrase that the public policy sector can share with the information security world: audit burden. Audit burden is how much a company or individual pays both in direct costs (paying the auditors) and in indirect costs (babysitting the auditors, producing evidence for the auditors, taking people away from making money to talk to auditors, “audit requirements”, etc). I think we can all agree that low audit burden is good, high audit burden is bad. In fact, I think that’s one of the problems with FISMA as implemented is that it has a high audit burden with moderately tangible results. But I digress, this post is about PCI-DSS.
There’s even a concept that is mulling around in the back of my head to make a metric that compares the audit burden to the amount of security that it provides to the amount of assurance that it provides against statutory regulation. It almost sounds like the start of a balanced scorecard for security management frameworks, now if I could get @alexhutton to jump on it, his quant brain would churn out great things in short order.
But this is the lesson for today: self-regulation is preferrable to legislation.
- Self-regulation is defined by people in the industry. Think about the State Bar Association setting the standards for who is allowed to practice law.
- Standards ideally become codified versions of “best practices”. OK, this is if they’re done correctly, more to follow.
- Standards are more flexible than laws. As hard/cumbersome as it is to change a standard, the time involved in changing a law is prohibitive most of the time unless you’re running for reelection.
- Standards sometimes can be “tainted” to force out competition, laws are even more so.
The sad fact here is that if we don’t figure out as an industry how to make PCI-DSS or any other forms of self-regulation work, Congress will regulate for us. Don’t like PCI-DSS because of the audit burden, wait until you have a law that requires you to do the same controls framework. It will be the same thing, only with bigger penalties for failure, larger audit burdens to avoid the larger penalties, larger industries created to satisfy the market demand for audit. Come meet the new regulatory body, same as the old only bigger and meaner. =)
However, self-regulation works if you do it right, and by right I mean this:
- The process is transparent and not the product of a secret back-room cabbal.
- Representation from all the shareholders. For PCI-DSS, that would be Visa/MasterCard, banks, processors, large merchants, small merchants, and some of the actual customers.
- The standards committee knows how to compromise and come to a consensus. IE, we can’t have both full hard drive encryption, a WAF, code review, and sacrificing of chickens in the server room, so we’ll make one of the 4 mandatory.
- The regulatory organization has a grievance process for its constituency to present valid (AKA “Not just more whining”) discrepencies in the standards and processes for clarification or consideration for change.
- The standard is “owned” by every member of the constituency. Right now, people governed by PCI-DSS are not feeling that the standard is their standard and that they have a say in what comprises the standard and that they are the ones being helped by the standard. Some of that is true, some of that is an image problem. The way you combat this is by doing the things that I mentioned in the previous bullets.
Hmm, sounds like making an ISO standard, which brings its own set of politics.
While we need some form of self-regulation, right now PCI-DSS and ISO 27001 are the closest that we have in the private sector. Yeah, it sucks, but it sucks the least, just like our form of government.
Similar Posts:
Posted in Public Policy, Rants | 11 Comments »
Tags: auditor • compliance • government • infosec • itsatrap • law • legislation • management • metrics • pci-dss • publicpolicy • risk • scalability • security
June 9th, 2009 at 10:33 pm
One important other aspect. In developing an approach to find out what *does* work, we completely lack an experimental “control”.
What wide-scale adoption of something like PCI DSS does is provide that control environment we need in order to test the assumptions we make in the suggested practices we call “best”.
It’s all very rudimentary, of course, but we’ve got to start somewhere.
June 9th, 2009 at 10:58 pm
Good post, valid points, but I can’t help but note that we always – and by we I mean the security industry as a whole – keep returning to the “well, yeah x sucks, but it sucks less than y”
June 10th, 2009 at 12:27 am
Perhaps they should have designed a self-regulatory system that actually incentivizes reasonable risk-based security. Instead they designed a system that incentivizes a checklist validation process and insulates the card brands from liability. “Self-regulation” is starting to look like the fox guarding the hen house, and the security industry and pros let it happen.
June 10th, 2009 at 1:22 am
The notion of self regulation is admirable but there is little doubt in my mind that consumers are better off as a result of PCI-DSS. I have just seen too many cases where companies would not have changed their ways unless they were forced to do so by compliance concerns. I have also observed cases where more changes were made than was necessary for PCI-DSS compliance only because the opportunity existed to get more done at the same time PCI-DSS was being addressed.
Is PCI=DSS perfect? No, of course not but I am in agreement with you that it is somewhat of a necessary evil at the moment until we can find something that works better.
June 10th, 2009 at 6:32 am
Hi All, just a guideline on comments. I’m not open to debate in this post if the controls of PCI-DSS actually provide effective security, there is plenty of talk elsewhere on that. What I want is to do is to have a conversation on why we need to self-regulate and how we actually get around to that.
@Alex Good idea. I think that’s a problem with maturity as an industry, everything we offer is “listen to me, or we’re doomed”.
@Amrit You’re right, but since security is just managing conflict, do you have a solution to offer? In fact, I feel this way about most security technologies and products: they suck, but they suck less than the alternative.
@Dave Navetta Good point. There is a conflict of interest in any standard, the key is how you deal with it, and right now we’re not doing a good job at it.
@cyberlocksmith So would you say that as an initial standard, it fulfills part of the self-regulation niche but that maybe it needs to “grow legs” and actually become a true standard for self-regulation?
BTW, this is probably the only blog post I’ll write directly about PCI-DSS, so enjoy it while you can. =)
June 10th, 2009 at 9:44 am
Do you feel the same way regarding self-regulation and the energy sector? think NERC CIP. At what point do you feel an industry is critical enough to our nation that it requires government involvement (let’s assume for the sake of argument that fed involvement = better oversight or opportunities for incentives, perhaps on taxes to comply)
June 10th, 2009 at 12:29 pm
@Amrit
When it comes to NERC and CIP, I don’t have the background and history to talk specifics.
Putting on my professor hat here because we’re going to talk abstracts and theory:
Depends on your political slant: nanny-state v/s lassez-faire v/s strong federalist v/s corporate darwinist. My opinion is that if the industry can regulate itself and do so effectively, let it. In the case of self-regulation, the government becomes one of the stakeholders and has a place on the standards committee.
If the industry cannot effectively self-regulate and the industry is critical infrastructure, then we most likely should consider regulating it via legislation. Legislation should be the last resort, not the first solution tried.
So the question is this: has the energy industry demonstrated that they cannot self-regulate to the point where we need the government to take over? I’m not sold on it, but if I were Assante, I would be bringing it up every meeting that I attended. =)
June 16th, 2009 at 5:07 am
[…] Click here to read this opinion. Filed under: Information Security, Security and Privacy Tags: Data Breach, PCI, PCI-DSS, personal identity, privacy laws Leave a Comment […]
July 6th, 2009 at 11:32 am
For payment transactions, why isn’t encrpypting cardholder information end to end (from pin pad to payment processor)a sufficient level of controls?
It eliminates most PCI controls, works for EMV, and substantially reduces audit and compensating controls costs.
While I agree we don’t need government involving itself, we also don’t need the complexity of PCI-DSS to do what end to end encryption is fully capable of acheiving. Simplify the solution, and the government won’t feel compelled to get involved.
July 6th, 2009 at 11:58 am
Hi Dave, I’m not talking about specific controls here, what I’m talking about is the need for the payment card industry to self-regulate and to do it the right way before we get to the point where Congress decided to legislate regulation.
But yes, I agree. =)
March 9th, 2010 at 10:17 pm
[…] If you're new here and would like to see more of what I'm saying, you may want to subscribe to my RSS feed (I can even email my blog posts to you when I publish a new one) or have a look at my papers and presentations page for downloads of stuff that you can share or "borrow heavily from". You also might find my guidelines for posting comments interesting, especially if you're a government employee. If you want to see me blog about anything in particular, drop me a private email on how you think I'm completely full of myself, extend me an invitation to speak at your next security meeting/event, or just to ship a huge bag of money in my direction, you can do that through my contact page. Thanks for visiting and happy hacking!OK, so I lied unintentionally all those months ago when I said I wouldn’t write any more PCI-DSS posts. […]