Is PCI Done?

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

I find myself wondering whether PCI is still a hot topic. I am not questioning whether PCI is worthwhile or if it reduces a merchant's risk of a data breach. The answer to both of these questions is an unqualified "yes." Rather, I note the lack of significant changes in the standard coupled with developments in the PCI ecosystem, and I question whether PCI is still—as a fellow QSA says—"sexy." The answer to this question can have implications for both QSAs and the merchants who rely on them not just for assessments but also, increasingly, for advice and guidance.

PCI DSS is now firmly in the mainstream. The standard itself has not changed to any great degree for several years, and version 2.0 is locked for the next three years (barring some unforeseen development). This situation is good news for merchants, banks and processors. They benefit from a stable PCI that enables them to plan their investments and technology infrastructure with confidence that they won't have to make changes too soon.

Even the smallest merchants seem to have heard of PCI, and they either have made some attempt to be compliant or are consciously choosing to run the risk that they won't suffer a cardholder data breach. In my own case, I rarely need to use my "Five Stages of PCI Grief" slide when I do PCI training. A couple of years ago, that image of a screaming merchant captured the zeitgeist of the situation. Today, though, it seems merchants and processors have gotten past griping about PCI not being fair and believing it doesn't apply to them and, instead, have moved on to working on compliance.

The PCI blogosphere reflects PCI's going mainstream. I monitor a number of PCI and security blogs daily, and I am sure many StorefrontBacktalk readers do the same. Two important changes have occurred in the PCI blogosphere. The first is that there are a lot fewer posts these days. Respected security bloggers are writing one or maybe two posts a week. In the past, these bloggers used to have important things to say each day and, in some cases, several times a day.

A second change in the blogosphere is that there are a lot fewer reader comments in response to the blog posts. I used to check my favorite blogs a couple of times a day to get the latest information, leave a reply to a post or maybe ask or answer a question on the now defunct PCI forum. Certainly some of the reader commentary has moved to Twitter, but the present lack of give-and-take between bloggers and their readers tells me people aren't as passionate about PCI as they were.Speaking of passion, another sign of PCI's maturity is that a number of the original PCI thought leaders seemed to have lost their passion for PCI. They have moved on. I have the great pleasure to know many of these people, and a couple of them are good friends. Most are still active in the field of information security, but they are no longer QSAs and they are not necessarily working just on PCI compliance. They left for many reasons, but a common thread seems to be that there is not much new in PCI to engage their attention and energies. PCI is no longer sexy for them. Their departure means we have lost some of the energy, enthusiasm and sense of community they brought to QSAs and merchants alike.

The end of PCI has implications for merchants and their QSAs. For one thing, QSAs will need to be more than just assessors. That is, I think more merchants will expect their QSAs to be partners in achieving and maintaining compliance. Such a partnership includes addressing the full range of security and risk issues that affect the business. As a result, QSAs will need to know a lot more about the payment-card business and the merchant's own business than any amount of PCI Council training can provide.

We can see evidence of this broadening of the QSA's role in the growing number of Internal Security Assessors (ISAs) who have been through the Council's training. With more ISAs, external QSA firms will need to provide more than a signature on a ROC if they expect to keep growing their business.

I personally think the spreading of PCI expertise is a great development. It benefits all parties involved and makes the assessment and compliance process easier and faster. But if a lot of the PCI "old guard" are leaving, as I contend, where will we get all these additional QSAs with broad-based business and payment knowledge?

I haven't got an answer to that one. What worries me is that we may see more QSAs who know security but lack the business experience their clients expect. My first QSA training class had maybe 60 people in it, and I don't think more than four or five of us had any experience in the payment-card processing business. The rest were sincere, eager and, in my eyes, very green—regardless of the fancy initials many had after their names. Trust me: It may be time to worry when you hear a potential QSA ask, "What is an acquirer?"

One solution to providing the additional expertise might be for QSA firms to hire more people with a retail, payment processing or even consulting background. Or, in a variation on this approach, we might see more QSA teams working on compliance assessments where different QSAs contribute particular knowledge or expertise.

Whatever happens, many others and I will still be here for a while. It may not make too much sense to say this, but even though it is the end of PCI, it is still what we do. What do you think? I'd like to hear your thoughts. Either leave a comment or E-mail me at [email protected].