Making sense of compliance and governance

• Article 22 of 33
• SC Magazine, June 2010
• View the original article online

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | All 6 Pages

All tiers of companies that handle credit card data should, in theory, be PCI DSS-compliant already. However, this was also true in 2005 and subsequent years, with Visa Europe and others continually putting back the deadline. With few being publicly punished as a result, PCI DSS wasn't taken as seriously as it should have been.

The PCI does expect everyone now to be compliant with PCI DSS 1.2 by September, but James Carnie at managed services company eLINIA says that having a roadmap showing how the organisation intends to become compliant should be sufficient in most cases. However, where an organisation isn't compliant and chooses to use ‘compensating controls' – alternatives to the specifications that they say makes the organisation secure all the same – these mustn't be a fudge designed to avoid compliance, since that will result in fines in the event of a breach.

Becoming compliant can be hard. Many companies think they are compliant and only those who conduct a large enough number of transactions will be audited for compliance. It's only if a breach occurs that they find out that their security doesn't quite meet the standards set. Benj Hosack, director at Foregenix, says that while those companies that do enough credit card transactions per month to qualify as ‘tier one' companies have largely become compliant, many of those in tiers two and three, particularly new arrivals such as web hosting sites, have yet to become compliant and may not even be aware they need to be. “Most businesses don't have a full handle on where their card data is,” Hosack says.

However, there are some tier one holdouts, principally those with large legacy systems that would be hard to update. Carnie says that PCI and bank fines are not sufficient to cause tier one companies to become compliant and, as a result, discriminate against smaller companies. “It's easier for tier one companies to pay the fines than it is for them to become compliant.”

Changes are planned for PCI DSS that will be introduced as part of v1.3 of the specification in October of this year. These will largely be to adjust to changes in attack vectors by hackers. Christopher Jenkins, security business manager at Dimension Data, says that the expectation is that there will be greater clarification of certain issues, rather than anything too radical. The scanning of networks for card data is probably the biggest change to be expected, he says, but other moves might include specs around the security of point-of-sale terminals, encryption and when to use two-factor authentication. But, Jenkins says, there “shouldn't be anything to wake people up or scare them”.

There will always be more compliance legislation – and security people are going to have to keep up with it. But even after the biggest financial crisis since the Great Depression, coordinated changes to compliance around the world are unlikely. Instead, small changes in different countries and the compliance requirements of different industry bodies are more likely to affect how you conduct business. You'll still have a handful of balloons to manage...

Changing the mindset, not just the processes
Meeting compliance regulations in the future is likely to mean not just a change in processes, but a change in mindset, according to Craig Carpenter, VP of marketing at information risk specialist, Recommind.

“Assume you'll have to report on everything and have complete transparency for the regulators,” he says. “Plan for that. It may not happen this year, but that's the right approach to take to it.”

It's likely that future compliance legislation is going to be focused on what companies offer to sell to customers. “You need to work from the perspective that five years from now, someone is going to look back at what you're doing today and asking, ‘Why did they do this? Was it legal, ethical?' You need to prove in hindsight that what you're doing now is legal, ethical and above board.”

He says the best way security professionals can help with this is by making sure they apply their current perspective of what they're doing in their daily jobs already to this area. “How are the product's marketing materials and sales materials being tracked? What do we know about what is being communicated? What policies are in place? This is bread and butter to what security people do.”

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | All 6 Pages