In the world of security, delegation can be good.
Some of the retailers with the best strategies have figured out how to "deputize" internal audit, HR, data owners and store managers and give them specific things to do, from employee education to access monitoring to policy enforcement. These leaders also tend to be more successful at getting business units and other departments to share the cost of PCI compliance with IT.
Over the last several months we've conducted more than 100 hours of anonymous interviews with retailers, hotels, banks, card processors, PCI assessors, service providers and security technologists. We are about to issue the first report based on those interviews, called the PCI Leadership Report.
Beyond the delegation discovery was the realization that data security can go well beyond payment. One of the best examples of going beyond PCI is the organization that applies the PCI security controls to social security numbers, account numbers, and other confidential data. The key is defining and enforcing a "data classification" scheme. (We addressed this in an earlier column and still recommend a near-term focus on adding SSN protection to credit-card data protection.)
The key point of the new report is to provide an in-depth examination of what leading merchants are doing to go beyond the "minimalist" approach to the PCI "checklist" and to prepare their enterprises to protect all types of confidential data against any type of security breach. What follows are some of the "highlights" of the report, without all the statistics and quotations that would, frankly, take up too much space. If you want the whole "shootin' match," just register at the PCI Knowledge Base. I sense you're getting excited already!
I'll end with a question, just to see if you read this far: We're trying to decide if our next report should focus on: (1) an in-depth examination of how compensating controls are created and where they are used; (2) a study of merchant readiness to comply with PCI DSS 6.6, which comes due the end of June; or (3) a review of the various technologies, vendors and products, and the positive or negative recommendations of the interviewees. If you have an opinion, please send me an E-mail at [email protected] or visit www.KnowPCI.com and click "Register" to join the PCI Knowledge Base.