In a nice article on Tech Target John Kindervag, a wicked smart guy, provides a recap of his presentation given at the Forrester Security Forum 2008, entitled “The Inside Story of PCI: Confessions of a QSA.” John provides some very pragmatic steps to addressing PCI (and others can equally apply – SOX, HIPAA, BASEL, IFRS) compliance. I felt John had some good points and have added my comments below:
To narrow down the scope of PCI, companies should first segment out network systems that contain credit card data.
I agree with a contingency – that the business examine HOW business processes are operating and designed. This is a natural by product of a deep control evaluation due to the nature of interviews and bringing together teams. Segmentation and reduction in the number of steps / systems / processes provides immediate cost and time advantages.
“Compliance is a marathon; A never ending marathon,” Kindervag said.
I completely agree! I would add, and for those who have experienced a Marathon training program will agree, that preparation is the key to achieving this level of compliance. It is not enough to simply create a 1 year budget, knock out the requirements by buying tech / consultants, and forget it year 2,3,N. Instead treat this as a line of business – one that is regularly measured, funded, and improvements are required of the new LOB. Treating compliance in this manner will establish a culture that integrates compliance needs into the core of the business without having the teams to become exhausted from sprints and emergency efforts.
“The only way to indemnify yourself from fines is to be compliant at all times,”
This one is tricky because it requires firms to be continuously testing their control environment to demonstrate compliance. The technology exists today to provide this capability, and certainly the benefits are obvious. Firms should work on automating triggers and alerting systems that initiate response teams in the event that a control environment violates a compliance mandate. This will ensure PCI DSS compliance is maintained. In addition, ensure that both the preventive and detective components of PCI are in place.
Next, conduct a gap analysis. Focus on wireless, Kindervag said
Wow, yes and no. I agree the gap analysis a proper step, but focusing on wireless is not the critical path in achieving and continuously maintaining a compliance and secure environment. Wireless is important, and has been the source of problem for some folks, but following the risk based approach article I would recommend isolating the transmission and storage of card holder data. Meaning – establish trusted path first, and this will cover wireless as a by product.
A nice article and John raises some very good points. John sums up PCI and safeguarding data through segmentation in a simple quote, “PCI is a communicable disease.” Email your Forrester contact for a copy of the presentation. Check out the article, as he raises something near and dear to my heart – creating a collaboration platform that creates transparency and a vehicle for accelerating compliance.
James DeLuccia IV