Each iteration of the Payment Card Industry Data Security Standard (PCI-DSS) brings requirements that are more specific about the controls needed to satisfy the safeguarding of critical data and infrastructure assets. Sometimes these changes mean the selection and adoption of new technology, and oftentimes it means adapting a current PCI-DSS standard to be more effective.
Sometimes these changes are subtle; sometimes they are profound. The upcoming changes in PCI-DSS are a little of both, but rather than focus on them specifically, let's look at PCI-DSS compliance in general.
At this point it should be clear to everyone with a pulse that the delicate balance needed in shifting the requirements from "should" to "shall" are driven by the ever-increasing pace of data breaches and the legislation governing their disclosure and remedy.
What PCI-DSS represents is the minimal standard required by the industry to indicate that a certain level of due care and diligence has been performed. It doesn't, however, certify that an entity that is "PCI compliant" is "secure." It also doesn't mean that risk is appropriately managed and mitigated to an acceptable level. It simply means that certain steps have been taken to become compliant with the requirements defined within the standards.
If you need an example, look no further than the recent case of Hannaford Brothers groceries, a company that was certified as being compliant with PCI-DSS and managed to suffer an egregious security breach.
Why is this unfortunate example an opportunity for the channel? The answer comes in two parts:
First, it's clear that compliance does not equal security. Despite the need for compliance, really digging down deep with a customer to partner with them to manage risk -- for which compliance is a by-product -- provides a true service that is a win-win for both you and your customer.
Second, refuse to offer "compliance made easy" as a solution to your customers. This will earn you respect. As revisions to compliance regulations arise, you will be the trusted advisor who will provide assessments of readiness against those requirements. If you can leverage a well-stocked solutions portfolio to address any warranted technical requirements needed to satisfy certain evolving elements of compliance when combined with strategic risk-focused consulting approach, you will gain the trust of your customers.
This was first published in May 2008