This Monday (Jan. 12), the National Retail Federation announced a set of 25 PCI best practices designed to improve "cost-effective compliance." We vetted these practices with the NRF's CIO council and spoke with many others about them. The primary reaction was that "cost" is the correct focus at this point. We talked to several people who have security responsibilities, and PCI is one of the few things for which there is still budget. But for the near future, anything they buy also has to have additional justification. For this purpose, several of the NRF's best practices are focused on replacing manual controls (and labor costs) with automated controls. Log management, configuration management and threat management are all areas where poorly coordinated manual procedures expend skilled labor to do relatively lower level tasks and, thus, have the best justification.
On the tradeshow floor, I watched for awhile as two very nice ladies attempted to stop passers by with the line: "Are you PCI compliant?" They were getting nowhere with that pitch—people either said "yep" or ignored them. After speaking with them at some length, it turned out that the most common response was "I think so." But even those who weren't sure didn't want to learn any more. I believe the problem is that once PCI is assigned (still, for the most part, to IT), most people in the company assume that it's "done." So, all the harping by vendors, assessors and even leading retailers that PCI needs to be part of operations and continuously monitored is being ignored by most people on the business side, because they assume it's being "handled" and that compliance has been "achieved."
I discussed my observation above with several other security folks at the show. The conclusion we reached is that there is a major gap between most retailers' "real" level of security and compliance and what many businesspeople in the organization believe it to be. One of the reasons for the misunderstanding can be attributed to the "pass/fail" PCI compliance grading system. Although compliance with the PCI standards is difficult to achieve, receiving a "passing grade" from an assessor (for Level 1 merchants) leads—in the vast majority of cases—to a period of "slacking off" on security, until the ramp up to the assessor's visit a year later. Even smaller merchants, where they do their own self-assessment, experience this "manic/depression" cycle when it comes to such things as documentation of access controls, log review and other tasks related to compliance monitoring.
Several companies on the show floor were talking about "beyond PCI" issues and technologies. As the NRF's PCI best practices point out, PCI needs to be managed as part of an overall governance, risk management and compliance (GRC) strategy. That's nice, of course, but not as tactical as many people are thinking these days. Rather, I think a better "beyond PCI" message is to focus on PA-DSS and PCI PED, which have specific deadlines and very clear mandates, and yet the scope of their implications is understood by very few. If you don't know what these terms refer to, then I've made my point. The PCI best practices also include clear recommendations to begin planning now to make any necessary upgrades or replacements of affected payment applications and PIN entry devices, because the process typically will take months, particularly for those retailers who will have to switch vendors.
If you are interested in learning more about the NRF's PCI best practices, they were issued through the NRF's ARTS committee, which is responsible for retail industry standards. You may also visit the PCI Knowledge Base, as we worked with the NRF to conduct the research that generated these best practices. Or, just send me an E-mail at [email protected]