Judging by the buzz at last week's RSA Conference, few data security standards have attracted as much attention in enterprise IT shops as the Payment Card Industry (PCI) data security standard.
PCI is being pushed by Visa USA, MasterCard International, American Express and the JCB International Credit Card Co. and has emerged as a leading example of private industry's effort to regulate itself in the wake of major data breaches.
It prescribes a set of 12 security controls, such as encryption, access management and transaction logging, with which all entities who process payment cards are expected to comply. PCI went into broad effect more than 18 months ago, but it was only after credit card companies warned in December that they would start assessing stiff fines for noncompliance beginning in October that many companies have begun paying serious attention to the rules.
So far, the verdict about how effective the standard is appears to be mixed -- at least among those attending the RSA show.
Some worried that by stipulating specific controls rather than broad security objectives, PCI may be unnecessarily restricting corporate options. Others argued that the rules are too tough for the smaller vendors. One of the biggest fears was that the rules would essentially force giant retailers, midsized merchants and mom-and-pop shops to all become security experts.
"I see pushback from the information security community," said Lynn Goodendorf, vice president of information privacy protection at Intercontinental Hotels Group, the Atlanta-based owner of brands such as Holiday Inn and Crowne Plaza hotels. "I am surprised by it, but I do feel that there has been some resistance" to the idea of implementing specific technology controls dictated by an external entity.
Smaller merchants also lack the resources or technical expertise to understand and implement all of the required controls in the PCI standard, according to the director of corporate security at a Midwest bank who requested anonymity.
The slow adoption to date also reflects the lack of enforcement teeth behind the standard, according to several participants in a PCI roundtable discussion at the CSO Interchange Forum, which was held in conjunction with the RSA conference.
Unless there is visible and stringent enforcement of PCI, it is unlikely to get widespread traction, roundtable participants said.
At the same time, others see PCI as the payment industry's best hope for staving off federal intervention amid growing consumer and congressional concerns about ID theft and fraud resulting from retail security breaches. They also argue that telling IT shops exactly what controls need to be implemented is the only way of ensuring that all companies covered by the rules understand them.
PCI "is definitely not easy to do, and it's very time consuming," said Deven Bhatt, director of corporate security at Airline Reporting, a company that provides ticket distribution and settlement services to more than 145 air and rail carriers. Some of the criticism of PCI stems from the perception that it tells companies how to run their businesses, Bhatt added.
But the standard "has done a lot more good than people think," he said. "The bar had to be raised because of all the breaches that are going on."
The consensus so far appears to be that "PCI is a good road map," said Seana Pitt, vice president of merchant policy and data quality at American Express. "But there are opportunities for more clarifications." Pitt chairs the PCI Security Standards Council, a recently created group responsible for developing and maintaining the standard.
For instance, finding a way to map PCI controls to established information security standards such as those from the International Standards Organization is an often-cited need, she said. They are also calls for more clarity on how the PCI council plans to enforce rules compliance.
Overall, PCI is leaving the payment industry better off than it was, said Gordon Rapkin, president of Protegrity, a security vendor. It has also "shaken money loose" for companies to invest in security.