10 Years Of PCI DSS

Posted by Chris Scott

As PCI DSS reaches it’s 10th Anniversary, the question is, will it last another 10 years or are there other standards set to supersede this? There are still a number of challenges and criticisms the standard faces; from trust issues, Self Assessment Questionnaires (SAQ) being seen as a tick box exercise, the Security Standards Councils (SCC) closed community, monopolisation of the market, inconsistent policing of the standard and a bottom up penalty approach to non-compliance singling out small businesses. These have all been well documented findings based on feedback from the Market which has placed the standard under serious scrutiny.

A letter written by the Senior VP and General Council Mallory Duncan from the National Retail Federation (NRF) to Chairwoman Ramirez at the Federal Trade Commission (FTC) has explicitly expressed grave concerns and trust issues around the PCI DSS standard. The letter goes as far as to urge the FTC not to rely on PCI DSS for any purpose, particularly not as an example of industry best practices, or, as a benchmark of reasonable data security standards.  A detailed white paper entitled “PCI Data Security Standards: Federal Standards Setting and competition policy concerns” backed up the NRFs statements in which it highlights the PCI standard is decided and agreed upon by a proprietary organisation formed and controlled by a single sector (the major credit card networks) leaving other sectors in the cold.

Further criticisms were targeted at the SCC for the release of Version v3.1 of the standard which was seen as a knee jerk reaction to NIST publications and caused quite a bit of controversy within the Market due to its stringent deadline around SSL/TLS.  Merchants categorically stated the timeframes could not be met which forced the SCC to rethink its approach. An incremental version of the standard v3.2 was released to address Market feedback. The CTO of PCI SSC, Troy Leach, reacted to this by stating that incremental changes to the standard will be common place due to the constant evolving nature of cyber security.

During its 10-year inception PCI DSS Self-Assessment Questionnaires (SAQs) have also been questioned.  Although the theory behind self-assessments is well intended, some believe that these are nothing more than a tick box exercise.  Where the merchant ticks a form to declare they have built their environment according to PCI DSS requirements.  This approach leaves a lot of room for error, as the merchant is left on their own to interpreted the requirements set in the standard.  More worryingly the merchant can falsely make a declaration with minimal risk that they will be independently audited due to the lack of PCI DSS policing which is a concern as most consumers think their data is protected by the Standard.

Despite these criticisms, since its inception in 2006, PCI DSS has seen 7 revisions. Each iteration has addressed a number of security vulnerabilities which has made the standard more robust.  As far as standards go PCI DSS, done correctly, will build the secure foundations for any business that stores, processes, or transmits cardholder information.  However, to solely rely on a standard to completely protect you from a cyberattack would be foolish. I have always maintained that PCI DSS is sensible IT with simple controls.  It is up to you as a business to constantly assess your environment for attacks and vulnerabilities as it would be impossible to expect a standard to cater for the constant evolving landscape. As technology advances e.g. mobile payments, wearable tech etc. so does the sophistication of the cyberattacks.  PCI DSS will help you design and build your infrastructure and processes to deal with these attacks but it’s up to you as a business protect you and your customers.

There is no doubt that there is still room for improvement in developing the standard.  I believe incremental revisions of the standard are a good thing as they will help evolve the standard over time.  It would be good to see more policing and auditing of systems particularly where SAQs are used.  There should be a zero tolerance approach to non-compliance from small to large businesses and fines should reflect this.  More help and support should be available to merchants so that questions around the standard can be answered and environments can be built correctly.  Finally, the SCC should also allow members from other industries to form the council to ensure the standard is built with other sectors in mind.