Can A Good PCI Strategy Be Based On Saving Money?

Guest Columnist David Taylor is the Founder of the PCI Knowledge Base, Research Director of the PCI Alliance and a former E-Commerce and Security analyst with Gartner.

It seems clear that most retailers are adopting one of two distinctly different strategies when it comes to data security and compliance. Let's label them Cost-Effective Compliance (CEC) and Compliance-Driven Security (CDS). Although both approaches are based on best practices and solid risk management principles, they lead to quite different spending patterns, technology decisions and business cultures.

Key questions include: Is one approach "better" than the other? Where does your company fit? What should you do next?

Cost-Effective Compliance (CEC): Despite it's name, in practice CEC is not about being "cheap" or trying to do security "right." It's a very pragmatic strategy, where IT and the CISO do not assume they have a blank check. Nor do they use PCI or the threat of breaches to justify buying more technology. Where I have seen the strategy be most prominent is when the CIO has a background in business management and works closely with the CFO and when both executives have a similar view of the role of IT. This applies to many retailers, where merely having to comply with a law or standard is not enough to either get a project funded or keep it funded.

At these firms, project managers have to quantify the business value, threats and risk levels associated with each of the major PCI controls. The rationale is that for some "low risk" control areas, you should spend just enough to pass, while for other areas, a higher risk level or greater business value can justify "above and beyond" spending levels. For SME retailers who can barely afford to spend anything on security, a "package" of security products or services that addresses their issues is the very essence of a CEC strategy.

Impact of CEC on Security Decisions: A CEC strategy can be turned into a series of "rules" to help retailers decide whether to implement a particular control. Essentially, making CEC work requires little more than a classic "rank-ordering" of security projects based on the level of protection and compliance offered for the money. For example, data purging gets a very high score on a CEC ranking simply because it costs almost nothing and results in huge reductions in risk, liability and PCI scope while increasing compliance.

Outsourcing, on the other hand, is really a shifting of risk from the IT department to Legal, Sourcing or Vendor Management. Considering that PCI DSS 1.2 is likely to mandate physical visits to service providers, the cost-effectiveness of security or payment outsourcing is actually going to be reduced.

Impact of CEC on Vendor Decisions: Although CEC is not about being cheap, we definitely see merchants who practice CEC buying more open-source security tools. Not just any tools and not just because those tools are "free," though. Rather, the merchants' analyses of the risk and compliance ROI can only justify, for a particular control, a specific level of spending. Many merchants and service providers have difficulty determining the cost-effectiveness of specific brand-name software or services. The result is that if they cannot justify the incremental cost based on value delivered or proven functionality, then they will buy a less-expensive product. In 2009 and beyond, we expect that it will become harder to sell "compliance checklist" products or services and that most decisions will be made on manageability and cost-effectiveness metrics.

Compliance-Driven Security (CDS): Dozens of retailers believe that PCI helped them get the security tools they had been telling upper management they wanted for years. But this strategy goes way beyond buying new technology "toys." In fact, the best uses we've seen of a CDS strategy are at organizations where a security architecture already exists. In these cases, CDS becomes a unifying force in filling in any "gaps" in the architecture, upgrading existing products, and improving documentation and policy enforcement.

Another value of a CDS strategy is that it can be used to help explain and manage "cross-compliance" issues such as the application of PCI controls to protect social security or employee healthcare data.

Impact of CDS on Security Decisions: Merchants employing a CDS strategy typically use a giant spreadsheet, where PCI, SOX, HIPAA, PIPEDA and a bunch of other laws and regulations are on one axis, the specific controls they mandate are on the other axis, and the software and services which implement these controls fill in the matrix. The goal of this matrix is to identify which technologies, policies and procedures meet which controls. This tool is very handy in identifying redundancies. Creating these spreadsheets is difficult for most retailers, but they can be purchased from consultants if necessary. Just filling one in properly can be a useful exercise, and it should be almost a necessity for any Level 2 or 3 merchant as part of filling out a PCI self-assessment questionnaire.

Impact of CDS on Vendor Decisions: Once the merchant has filled out the "compliance matrix" or filled in a comparable Web-based questionnaire, the search for "multi-compliant" software and services begins. The goal is to work with vendors who will help the merchant avoid compliance silos by demonstrating and providing the reporting tools for multiple standards, laws and regulations. Again, we are seeing compliance reporting and flexible configurations that can be changed as new versions of standards (e.g., PCI 1.2) or laws emerge being very important in selecting software and services for merchants who are employing a CDS strategy. This tends to drive merchants away from open source and more "basic" solutions that typically offer less flexibility in favor of lower cost and a simpler management interface.

The bottom line on these two compliance/security strategies is that both will lead to compliance and both have many "best" practices associated with them. The difference is that CEC will likely cost merchants less in the near term while CDS offers greater flexibility at a somewhat higher cost to a merchant faced with a broader range of compliance requirements. Although one could argue that there must be a "hybrid" strategy, in most cases, the fundamental goals of CEC and CDS are in conflict, which makes such a middle-ground approach impractical.

By the way, if you're a retailer, we want to get you involved in the best practices study we're doing for the National Retail Federation. If you'd like to participate, send me an E-mail at [email protected] or visit the PCI Knowledge Base.