By Joel Weise on Oct 15, 2012
Welcome to the new PCI DSS questions and answers blog. This is the place where I hope to answer all of those nagging questions you have about PCI DSS - as in the Payment Card Industry Data Security Standard. As this is my first blog entry, let me introduce myself. I am a security architect in the Oracle Enterprise Solutions Group and have been doing security, architecture, cryptography, compliance and governance for over 30 years. Previously, I worked at Sun Microsystems, Visa and Bank of America.
At Visa, I was part of the Technology Risk team. It was there that I would say the concept of the PCI security standards was first contemplated. We had already developed various cryptographic techniques and standards (think PIN processing [PVV] or credit card validation [CVV]) and recognized in the 90's that as credit card transactions were moving beyond the VisaNet private network and into the public Internet, there was a need for standardizing security best practices in a more comprehensive way. (I use security best practices in a very broad way. I am including technical, operational, governance and other controls, processes and management level policies here.) Just imagine what could happen to all that sensitive cardholder information if a web merchant didn't implement basic security services such as a firewall to protect their network or encrypt that data where it was stored? Those best practices were eventually instantiated into PCI DSS.
The way I like to think about it, the foundation for PCI DSS (besides being a good way to reduce fraud and risk) was:
- make it easy to understand and implement (I know some will say, "yeah, sure" to this, but PCI DSS really is not that complex),
- make it comprehensive (it pretty much covers all of the fundamental areas of a security architecture) and
- make it a living standard (and given the the revisions we have seen, I think it certainly is).
I'm not going to go into more detail on PCI DSS. Anyone can go to the PCI website and download all of the standards there: https://www.pcisecuritystandards.org/ Likewise, there are a number of books on the subject that dissect PCI DSS pretty well. I will post reviews of books and other sources in the future.
So what does all of this mean? It means that PCI DSS is intended to be a baseline for how to secure an IT system. No, it is not perfect. And no, even if you follow it to the letter, it is very possible you could fail an assessment. But PCI DSS is intended to represent a holistic approach to security architecture and thus can be addressed in a number of different ways. There is no single correct answer to PCI DSS. It needs to be applied in each environment according to the unique architectural characteristics of that environment. And of course, when we consider that QSA's are only human and have their own unique ways to interpret PCI DSS, well, ultimately, it will be up to the QSA to determined if PCI DSS has been satisfied. (Note, in some cases organization may not be required to use a QSA, if for example, they are a low volume merchant; but feel free to as questions.)
With that brief introduction feel free to send in your questions. Please keep in mind of course, this blog represent only my own opinion on PCI DSS. It is always best to get the opinion of your QSA on all matters concerning PCI DSS.