What is the author suggestion? That CIO’s stop complaining and start getting real about security? That is heresy! CIO’s must complain or else they would have to do real work.
Julie

Overall I agree with the author, this stuff should seem intuitively obvious to any Security Professional worth their credentials. I've seen numerous instances, however, where the individual or organization trying to achieve compliance comes to a completely differing viewpoint on PCI interpretation than the auditor. Kind of reminds me when a prosecuting attorney and a defense counselor review the same body of evidence and come to completely orthogonal viewpoints. And both are passionately convinced of the guilt or innocence of the party in question. There are several areas where the PCI audit criteria should be re-writtten to aid in clarity and help reduce such differences with interpretation.

The author is right on target with his assessment of the controls and their simplicity. It takes an information security professional to be able to interpret the legal requirements into security principles that must be applied regardless of the technology environment. In fact, once the principles are strategically applied, any of the new or existing laws can be interpreted by Chief Information Security Officers (CISO's) or as the profession is evolving, the title "Leader's of Change", may be more appropriate.

CIO's need to understand that the majority of the changes made to their network and computing environments for legislation including Sarbanes-Oxley were lead-by and structured-under Audit frameworks. There is a difference when the information security principles are used as the framework for the controls. As the author explains, there are cost-savings demonstrable with metrics that result from applying the information security principles. Additionally, there are many intangibles like customer "Good Will" for which it may be impossible to estimate losses once a security breach occurs.

The time has come for the Chief Information Officer (CIO) to establish a closer relationship with the leader who is going to assess risk, apply controls strategically to achieve compliance and more importantly is going to develop a strong control framework with which to deal with constant change. It isn't difficult. It does require the "know how" of someone who speaks "geek" as well as "business acumen" to do the "right" job.

The author is 100% correct, PCI is basic security.

So many CxO's are so blind to what is going on in their networks. Data is flying out quicker than they can see.

PCI is trying to stop that flow. Why would any reasonable person want to stop that?

Go figure.

Interesting point that there are only “12 simple” requirements, but when you read the PCI requirements document there are actually 200+ detailed, complex and sometimes confusing sub-requirements that are open to interpretation.

For example
9: Restrict physical access to cardholder data

seems intuitive... but one of it's sub requirements is...

9.1.1: Use cameras to monitor sensitive areas. Audit collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law.

What's a sensitive area? It's never defined by PCI standards. Just the computer room? Anyplace there is piece of network equipment? Do I need a camera on every network jack?

How do you audit a video? Does having a guard in a control room watching a screen cover this?

How do you correlate video with other entries? I don't know, do you?

http://www.pcisecuritystandards.org

I'm curious why the author attacks me personally rather than simply making his point using logic and reason. If there are any people in the industry who know the original intent and flavor of the Cardholder Information Security Program (CISP) which evolved into the PCI-DSS as it is now, I would be one of them. Why? Because *I* wrote it (the CISP for Third Parties) along with a select few other folks that worked with me at Exodus while we were engaged with Visa.

What the author fails to get was that the point of my article was more genesis and original intent versus evolution and where it has gone. I'm delighted that CIO gave the author real estate to make his point. Unfortunately my article for Information Security magazine had a strict word count and real estate limit as well as thrust for the article. For that reason, my article was sharp, pointed, and short. The intent of the article was to highlight how the new PCI Council does two things: (1) artificially inflates the cost of compliance for those seeking PCI compliance and (2) presents a serious conflict of interest. Along the way I managed not to bash anyone personally, present a thought-provoking draw-your-own-conclusion article, and did it all on a budget of about 1/4 the real estate afforded the author here by CIO.

Mr. Rothke, in the future if you'd like to bash me personally, please feel free to do so face-to-face rather than jumping to incorrect conclusions in an article in CIO trying to discredit me or my opinion. One call, email, or visit to shore up your details and ask the probing questions you did in this article is all I'd have asked. It is not only the professionally responsible thing to do, it's a courtesy one human generally extends to the other in most parts of the World.

For the record and addressing the last sentence in Mr. Rothke's article, my PhD is in Chemical Physics. Rocket Science to be exact.

Dr. Matthews,

Thanks for the posting. My apologies if you saw my article as a personal attack, which it was no way meant to be.

Your article had complex in the title, and used the term three times in the piece. My point was simply that there is nothing complex about PCI.

Once again, my piece was never meant to, nor did I see it as a way to bash you or anyone else personally.

Ben

PS – As to someone REALLY bashing another, the current issue of Information Security has a letter to the editor in which the writer calls Bruce Schneier's arguments silly, and calls him a ninny. If that is not a personal attack, I don’t know what is.

Saying that PCI is "12 simple requirements" and that there is nothing complex about it is like saying HIPAA is pure simplicity too... it's just 3 simple requirements... physical security, administrative security, and technical security! How could anyone be against that? It's security 101 and the best thing to happen to Protected Health Information. Who would argue with the need for that?

I'm not saying PCI-DSS did not have good foundations or intentions or that the industry doesn't need something to force compliance with minimal security standards. What I am saying is that the detail in the implementation specifications is complex (as has been pointed out by at least one previous comment) and subject to interpretation without any reference to existing security standards that DO have context. Again, the devil is in the details, not the high level requirements.

Certainly it is easy to agree with the author that security is simple and if everyone just did the right thing out of the gate, all would be utopia.

Certainly PCI represents some value to the public. Consumers and merchants of all kinds can benefit, from TJX to store fronts. Compliance for the current PCI standard is a smoke screen, you can with minimal effort achieve "compliance", but the effective risk mitigation of that compliance is marginal. Very few companies take a top down approach to security if its not intrinsic to how they make money, though it does appear those times are changing slowly.

IMNHO. the problem with security, (not the only problem) in general, is not one of guidance (via PCI and others) or theory its one of practical implementation. Having played this game for many years its always the armchair QBs that will tell you that your not selling at a high enough level, your not performing basic security practice, its so easy if you would just have built a security model from the ground up and implemented it every step of the way.

In theory this rocks, but in practice capitalism rules the day. Preach on if you must, give us the audit acronym of the day, but the only way security gets done is to take the complex process of true risk mitigation and simplify the guidance, the implementation, and sprinkle it with multi-year efforts involving copious amounts of work ethic. That is not done by or thru PCI it is done with seasoned security professionals (there are not alot of them out there)...

I'm not sure where all of you live, but in my world I find staff retention, business objectives, infrastructure, application development, Operating Systems, and corporate directives to change faster than a 3 year information security plan. I can also assure you that budgets will not allow full risk mitigation strategies to be deployed in less than that time in any decent sized enterprise. I'll stop now.. :)