On September 10th I spoke at the CSO Conference on the PCI DSS with an impressive group of speakers and representatives from across the industry, including Chris Mark and numerous CIOs. The discussions focused on the current state of the union within the Payment Transaction vertical. There was plenty of focus on the usage of ERM, quantification of risk through trending of individual business experience, in addition the transitioning of risk ownership to executives within an organization.
In attendence there was a wide ranging of executives, but the primary population included the financial industry and mainly CIOs. The topics of the conference included “The State of PCI DSS”, Business Process First, Time Inc. ‘Time Goes Global with Compliance”, Best Practices from the PCI Knowledge Base, and of course a panel discussion. Attendees, and friends of CSO Magazine can see the archived presentations (some were VERY rich, more so than is commonly provided) starting today. While it is impossible to breakdown the great sessions and extensive discussions that I experienced, I do want to highlight a few points that stuck with me.
- Future of PCI DSS: PCI DSS is evolving into a risk based approach. It was both predicted by the attending experts that the council will transform to a pure risk based approach to adhere to the global practice.
- RISK Ownership: Success of PCI and compliance engagements partly depends on the ownership and visibility of the benefits of achieving PCI compliance. This was achieved uniquely by several organizations, but the most common was distribution of risk ownership.
- Conflicts of Interest: Separation of Duties – enforcing a mechanism to eliminate the conflicts of interest that exist – the assessment, implementation, and attestation. Specifically companies must put in a frame work (leverage your Internal Audit groups) to restrict individual parties from conducting all three phases.
- Crosswalk / Regulation Alignment / Shared Documentation: It is ideal to leverage the documentation across different compliance efforts – for example BITS. Usage of these must address the amount of overlap that actually exists (i.e., is the overlap sufficient to warrant the work to have a positive return), also is the scope of controls equivalent between the two approaches. Specifically each standard is focused on risks (PCI on Card Holder Data; BITS Financial data), and therefore only addresses those risks. Organizations have numerous risks, and therefore must manage these risks appropriately with each individual set of standards. Organizations should consider bringing together the documentation efforts, and the degree of efficiency that can be achieved through simplifying the controls by limiting the variety of similar control types.
Action: Take a look at how your managing your PCI and other compliance initiatives. Do you have the responsibility? Should you own it, all? Don’t reinvent the wheel – leverage your Risk Management / Internal Audit teams, all the documentation, tools, and charters are there for you to use.
A great seminar where extensive discussions were enabled through the format and quality of the attendees. I paid for this trip to NYC out of my own personal pocket, and found the value to be well worth it.
If readers have specific requests about the presentations (here is the conference agenda), please post them and I will answer them as fully as possible.
James DeLuccia IV