Tom Olzak

PCI DSS Compliance Made Easier, but Upside Down

In Data Security, PCI DSS, Risk Management on March 16, 2009 at 17:18

Most companies required to jump on the PCI DSS wagon are SMBs.  So implementing security controls to protect cardholder information is not an easy task.  And the difficulties begin when business owners and managers realize they don’t even know where to start.

The PCI Security Standards Council, using information from security breaches, security assessors, and forensics investigators, recently released a set of tools to help jumpstart the process.  Although the council’s tools are useful, I disagree with how some of the compliance tasks are prioritized.

The Tool Set

The tool set consists of a roadmap document, The Prioritized Approach to Pursue PCI DSS Compliance (PDF), and an Excel file with worksheets to track progress.

The PDF document begins with a general introduction to the prioritization process.  There is no specific information about the DSS nor details regarding implementation of controls.  What does follow the introductory material, however, is a well-defined roadmap for achieving compliance.

The roadmap is based on six compliance milestones, as listed in Table 1.  The milestone number designates the importance of associated goals, with Milestone 1 having the highest priority.

Table 1

Table 1

The roadmap following this table in the PCI document lists all PCI DSS requirements and assigns a milestone number to each, as shown in Figure 1.

Figure 1

Figure 1

This information is also available in the Excel worksheets, as shown in Figure 2.  In this example, I used the preconfigured filter to list only Milestone 1 (high priority) tasks.  I also entered “Yes” into two of the tasks, which automatically show as percentage complete in the second worksheet, shown in Figure 3.

Figure 2

Figure 2

Figure 3

Figure 3

The tool set is very easy to use and helps businesses understand which tasks to complete first, which uncompleted tasks present the highest risk.  However, I disagree with two priority assignments.

Issues

First, creation of policy and employee awareness comes last.  These activities should come first.  Development of a security strategy and the supporting program provides the framework upon which to construct layered controls.  This should be the number one priority.

Second, I agree with eliminating as much cardholder information as possible from network or local storage.  However, it shouldn’t be a higher priority than securing the perimeter or implementing access controls.  What happens to the network, systems, or data while an organization sifts through gigabytes of stored cardholder information and revises data collection policies in the absence of adequate access controls?  Can you say breach?

Finally, the priorities as defined might not apply to everyone.  But when I attempted to change a priority value in the spreadsheet, I was prompted for a password.  I would like a little more flexibility.  (Yes, I know.  These passwords are usually easy to crack, but how many small business owners have the skills to do that?)

Overall, I think this is a solid approach to helping businesses achieve PCI DSS compliance.  The priorites, however, need a little work.

%d bloggers like this: