Posted by Ed Welsh, Director, Security & Compliance on October 8, 2009 10:30 AM
The week of Sept 21st, I attended the PCI Council Standards Training and Community Meeting in Las Vegas. The training was offered after merchants and service providers asked for more education on the PCI standards and how the assessors are being directed. The training was a positive experience for me. It showed me that, compared to many other organizations, we (GSI) have a greater understanding of standards implementation, and how to be successful and compliant. It was clear by most of the questions being asked that the basics of the standards are still a major challenge for many.
It was also clear that some assessors (QSA) are still not understanding the intent of the standards. Many folks had questions related to assessors that were applying prescriptive standards elements to situations that they were not intended to address. This was evident in the type of questions, such as, "What defines a firewall?" and, "What is network access?" Assessments that are executed properly do not generate these types of basic questions. The best part of the training was interaction between the students. Those with more experience were able to share our thoughts, which, combined with the instructor's input, really helped the whole class.
The standards training went for two days with the Community Meeting beginning on the third day. Just as last year, the meetings were interspersed with many personal networking opportunities and vendor expo time.
This year's meeting occurred during the feedback period of the Standard's cycle, which meant that the general attendance had many opportunities to directly address the council. I did not do a formal review of feedback, but it seemed that the most popular topic was that of risk. Even as prescriptive as the PCI standard is, it still presents a checklist of items that MUST be completed to be compliant. Alternatively, a risk-based approach would allow the controls of the standard to be applied when and where they would have the most impact on threat. The Council's responses to this feedback indicated that they realize the issue and will be considering steps to make the standard more risk-based.
A risk-based approach would be good for everyone, but could be remarkably difficult for those without a strong security program already in place. The difficulty is primarily related to assessing the risk. It is a specific exercise that will generate different results for each environment, and dependence on assessor judgment will increase. Those that already use a risk-based approach would find a risk-based security standard a great improvement over the current prescriptive checklist format.