By John Kindervag
The No. 1 myth I hear from clients is that PCI is hard. It's not uncommon to find IT staff wringing their hands over where to start. A more accurate description might be PCI is comprehensive. With 12 requirement areas, it can be a daunting task just to make sense of the documents. But in fact, PCI is just good, basic security. A diligent company should meet most of the requirements prior to even reviewing themselves for PCI compliance. Additionally, there are product and services that are ready to be deployed to meet almost any of the requirements. IT departments don't have to reinvent any wheels to meet PCI.
By their own admission, the creators of the PCI standards designed good baseline security that could be reasonably attainable. This is not cutting edge stuff. For the most part, the majority of the requirements should already be part of the information security strategy, policy and infrastructure of any client with even the least attentiveness to creating a secure network.
What many people really seem to mean when they say PCI is hard, is that it is not cheap. For years, IT security professionals within these organizations have known there are glaring gaps in the security posture of their companies. I have seen these people make tremendous efforts to plug their security holes, only to be shot down by finance because costs would be incurred.
You could, in fact, make a strong case that PCI is the direct result of poor corporate governance by organizations handling credit card data. Had those organizations made best-practice efforts to secure that data, credit card theft and fraud might have been negligible, thereby reducing the need for the credit card companies to create a set of minimum standards to help offset the risk of offering credit card services.
So PCI may be expensive, but it is certainly not hard.
About the author
Five myths of PCI compliance
Introduction to the myths of PCI compliance
Myth 1: PCI is hard
Myth 2: PCI will make us secure
Myth 3: Encryption is scary
Myth 4: "I don't take enough credit cards…"
Myth 5: Product X will make me compliant
John Kindervag is a 20-year veteran of the high-technology world. He is the senior security architect for Vigilar Inc., where he helps corporations design secure networks and manages Vigilar's Vulnerability Assessment and Compliance Practice. Kindervag holds a Bachelor of Arts degree in Communications from the University of Iowa.
This was first published in August 2007