Greatest Challenges for Meeting PCI/DSS Compliancy
When facing with a compliancy project and organization may sometimes find itself at a lost. The lost feeling might be intensified when getting unclear deadlines and requirements by the local acquiring banks. However, not all challenges for meeting compliancy are external.
Firstly, most large corporations to include Banks, Retail chains, Telco companies, Insurance companies, eCommerce companies or any other merchant that deals with credit card information has a large cardholder data environment. This is mostly due to the fact that most organizations grew as time went by and so did their IT systems and applications. Therefore, it is not uncommon to find an organization that has web servers that inputs credit card information, internal database servers that store them, data warehouse application that stores and processes them, reporting applications that store and process them, clearing applications that transmit them, and antifraud applications that process and transmit them and so on.
It is to understand that the larger the cardholder data environment is, the more difficult it is to fully meet compliancy with PCI DSS. This is due to the fact that the standard requires changes to be made at all levels; stemming at the infrastructure level, operating system level, application level, network level, procedures level and so on. The wider the environment and the sample size are, the more difficult it is to meet PCI DSS requirements.
For instance, not many organizations wish to undertake a security code review project on their core legacy applications that were written in COBOL.
It is also imperative to understand that PCI DSS is an annual and ongoing requirement. The larger the cardholder data environment is the harder and the more costly it is to maintain. Another main challenge when approaching a PCI DSS project is the fact that lack of full and total management approval is not always granted. In some organizations PCI DSS is perceived as a strategic goal and as a business enabler whereas in most organizations it is perceived as an unnecessary burden to be dealt with when it is absolutely necessary and not a minute sooner. This sometimes may lead to an unattainable deadline and subsequently to fines, penalties or other sanctions taken
by the payment brands. There are also those who wish that the local acquiring banks share the cost of becoming PCI DSS compliant. This article’s writer would love to hear of such successful endeavors.
Third challenge that we may encounter when facing a PCI DSS compliancy project is the fact that the requirement to comply with PCI DSS may come in midyear, after budgetary framework has been decided upon and approved. This might delay any wishful attempts for PCI DSS compliancy until the next budget discussions set. This takes us back to the point on the domestic acquiring banks risk management programs. It is from personal
experience alone and in this article’s writer personal opinion that acquiring banks are sometimes digging their own graves. It has been demonstrated several times during the past years by acquiring
banks that the requirements they stipulated to their merchants and service providers were those of minimal effort needed and not nearly adequate to allow these merchants and service providers’ ample time and strategic planning for meeting with PCI DSS compliancy. For instance, if you are a large merchant that during the past two years has gotten used to getting quarterly letters politely asking you to complete an SAQ statement and to conduct quarterly scans and nothing more, imagine the shock when you suddenly get a letter requiring you to fully comply with PCI DSS and pass a PCI DSS audit by a certified QSA within a month.
Last challenge I will discuss within the confines of this article is the level of comprehension obtained by information security professionals in regards to this standard. It is not uncommon by information security experts to misinterpret the standard. Most security professionals have some firm beliefs in regards to their own competency level at the various information security domains. As a result some will argue against some of the standard’s requirements, some may design unneeded complex solutions or some might simply negate some basic requirements, thus misguiding the organization.
The simple, and to this writer’s opinion, the only way for a successful PCI DSS project is to have a QSA on board during all crucial milestones in the decision making process and along the work plan’s establishment process. Having a QSA on board will not only assure the organization that the road to compliance is clear, but it will also allow some transfer of responsibility and liability to another qualified factor.
Ben, Ben Aderet – Co Founder of GRSee Consulting