The Payment Card Industry Data Security Standard (PCI DSS) is a widely accepted set of compliance policies, rules and procedures designed to ensure the security of credit and debit card transactions and protect cardholders against identity fraud. Our interview with John Gapinski, president of Secured Retail Networks, touches on the importance of PCI compliance, how to make it a less burdensome task for clients, and how changes in PCI DSS will affect customers. John has 13 years of experience in Internet and information security technology consulting.
How would you define PCI compliance to a customer, and why is it important?
Gapinski: The goal of PCI is to ensure the security of payment card data by education and issuing a set of standards. The card brands require that processors have compliant merchants, and the processors in turn require the merchants to comply. Fines and loss of credit card acceptance are the risks to the business.
PCI is important to a business wanting to avoid the fines and continue to process credit cards. However, the risks of noncompliance are greater in the event of a breach of security, in terms of lost consumer confidence, consumer restitution and, for smaller merchants, the need for expensive audits that would not otherwise be required. PCI requirements should be embraced as a catalyst for creating an information assurance (IA) program.
What common misconceptions to do consultants deal with when addressing PCI compliance with customers?
Gapinski: Business owners and IT professionals in the retail space are rarely security professionals. It is a totally different approach to technology. They use technology for totally different reasons than, say, a service business. Retailers are focused on the business metrics and customer experience, and putting security limits on technology can [be perceived as] complicating the customer experience.
I see companies treating PCI like a laundry list of things they need to do or buy, ignoring the big picture. Other companies try to tackle the problem by limiting the scope of the network that handles payment processing as much as possible. PCI DSS is good in that it gives you a specific map of things to do in order to get compliant. If companies would focus on a top-down approach to IA, they would find they already to what PCI requires. At a high level, this essentially means understanding the business objectives, mapping them to policies, and using technology to deliver, enforce and monitor those policies.
What can you do to make PCI compliance a less burdensome and more smoothly running process for companies?
Gapinski: Our goal is to deliver a lifecycle information assurance program to our clients. If companies adopt a lifecycle approach to IA, they will already have the process and systems in place to enable them to meet PCI compliance. There may be configuration changes, or projects that will need to be done, but in general, with executive buy-in to an IA program, PCI will be much simpler to handle.
With many vendors offering PCI compliance services today, how should customers differentiate between different resellers?
Gapinski: Customers should look for two things. First, broad-based experience in information assurance services is the most important, since I believe that a well-done lifecycle IA program will make compliance with PCI a fairly trivial matter. Second, I think it can be very beneficial to customers to work with partners that specialize in their vertical markets. It helps to speak the language and have familiarity with the systems often shared among customers in the same space.
What are some key aspects of your PCI compliance strategy and how does this differ from that of other vendors?
Gapinski: The central strategy is the delivery of a "virtual CSO" service. The vCSO is a flexible program to allow midsized enterprise organizations to focus on their core business systems, while engaging a virtual, part-time team member to maintain a lifecycle information assurance program.
The difference is that we are not just a VAR that focuses on selling product, where PCI is the latest sales tool. We are a consulting firm that focuses on information assurance with the added benefit of having experience in the space affected by PCI.
What are some impending changes in PCI compliance standards and strategies for the near future?
Gapinski: PCI released the 1.2 standard on Oct 1, 2008. There will be clarifications on a number of things. Most notably, wireless standards will tighten by the elimination of WEP as an option; application layer firewalls are required. [The release also provides] clarified requirements to log external devices internally and for penetration testing.
I think more organizations are going to look to outside help to handle the management of a compliance program, and I think managed services will start to become more attractive to meet these goals, and keep internal focus on their business objectives.
How are these changes affecting resellers?
Gapinski: I think that many resellers see large opportunity in PCI compliance due to the prescriptive nature of the standard. Some specific things have to be done and new products or upgrades may be the only way. Many resellers are following their vendor's lead in pitching products that can point to solving a specific bullet point in the PCI DSS standard. However, there is no one-product solution, so any pitch is an incomplete offering at best. This leaves the customer to deal with integration of perhaps dozens of technologies.
I see opportunity for a niche reseller to focus on information security best practices and offer guidance and consulting on the things needed to get companies compliant. In the end, there will be additional opportunities in product upgrades or managed services, but the approach needs to be conservative in nature.