Gary Palgon
Vice President, Product Management
nuBridges
London’s a great city and the London Underground subway - the “Tube” - makes it so easy to get around – except when the Tube workers decide to go on strike. That’s exactly what happened last week - Tuesday through Thursday night. Expecting the worst in turnout of attendees for the Corporate IT Forum's Information Security Service’s PCI DSS Conference on Wednesday it was hardly that – the venue was packed with lots of business and information security professionals with a thirst to network and learn how to comply with the Payment Card Industry’s Data Security Standard (PCI DSS).
The following were key discussion points at the TIF Conference:
- There are inconsistencies between Qualified Security Assessors (QSAs) and individual QSAs; often companies and the enterprises they have been helping are left with little knowledge about where they are in the compliance process.
- There’s a conflict of interest with some QSA firms because they are conducting the security review, performing the audit, and offering remediation software and hardware for compliance.
- Tap into your own employee talent pool to assist with security requirements – they are often glad to help, can apply their skills and will take an interest in your project.
- Use PCI DSS compliance as a way to get money for known security holes in your organization
- Security best practices meet PCI DSS requirements, but the reverse is not true.
- Compensating Controls must be reviewed annually as of the October 2008 update of the PCI DSS (Version 1.2). Just because you passed last year doesn’t mean you’ll pass this year.
- Open source is a valid way to help comply with the PCI DSS; however, consider the scalability and customer support for the products since they may not be right for your enterprise.
And a few personal observations based on the discussions:
- PCI DSS compliance is not a “one-size fits all” – network with your peers inside and outside of your industry and compare how others have addressed like solutions
- There are multiple ways to “reduce scope” including network segmentation and tokenization – it’s important to consider how each can help your organization
- Collaboration and continued communication between QSAs, security consultants (different from a QSA), and solution vendors can help set a clear path and yield success with compliance
- Compliance doesn’t equal security – to stay ahead of the bad guys you must also consider areas where the PCI DSS falls short – e.g. data in transit within the enterprise
- It all boils down to risk in the end – how much risk is your organization willing to take with their customers’ credit cards and other personally identifiable information (PII)? Do you really want to be famous for a breach?
Just before I got on the plane to leave London I read the headline on the local newspaper, “We’ll go on strike again next week if we have to.” Great city but they may have to take a lesson from the US when we up and fired the air traffic controllers when they went on strike!
Until next time… Gary
