My Work With The PCI Scoping SIG
(First a disclaimer: Although I am one of the chairs of the PCI Scoping Special Interest Group, everything in this article are only my opinions, not anyone else’s, or an official position of the PCI Security Standards Council.)
Many people are justifiably upset about the subjectivity and ambiguity in the PCI DSS compliance standards. Amazingly, this phenomenon applies equally to merchants and the Qualified Security Assessors (QSAs) auditing them!
Surely one of the frustrating aspects of PCI is this standoff between the organizations who have to comply with the PCI DSS, and the Qualified Security Assessors (QSAs) that audit them for compliance.
The interaction may sound like this:
- Organization: “We have isolated our sales order entry systems as best as we can, and believe we are still effectively protecting cardholder data. Due to an architectural decision, we can’t partition off these systems from the rest of the business processes.”
- QSA: “I understand. But, we’re still liable for our role. So, your entire 20,000 systems will be in the scope of the PCI assessment.”
Maybe it's not 20,000 systems that are being argued about. Maybe it's the CEOs laptop, even though the CEO isn’t entering customer orders or able to retrieve cardholder records. In any case, it creates waste. Lots of it.
What I'm Doing About It
I worked with the PCI Community to create the PCI Scoping SIG in October 2008. I'll be presenting what we're doing about this problem at the 2010 Las Vegas #BSides conference. Furthermore, I've written a series of blog posts on this topic.
- Part I: "Upset about the subjectivity and ambiguity in the PCI DSS compliance standards? My #BSides submission on the answer..."
- Part II: "The problems that management and auditors faced in 2005 and 2006 for the IT portions of SOX-404."
- Part III: "Quantifying the huge amount of wasted IT audit effort in SOX-404"
- Part IV: "What goes wrong in a bottom-up SOX-404 audit: a cautionary tale..."
- Part V: "The GAIT Vision For Solving The SOX-404 IT Scoping Problem
Here is the abstract of my BSides talk:
"Properly Mobilizing the PCI Resistance: Lessons Learned From Fighting Prior Wars (SOX-404)"
I have noticed that there is a growing wave of discontent and disenchantment from information security and compliance practitioners around the PCI DSS. Josh Corman has been an effective voice for these concerns, providing an intellectually honest and earnest analysis in his talk “Is PCI The No Child Left Behind Act For Infosec?”
The problem are well-known and significant: too much ambiguity in the PCI DSS, Qualified Security Assessors (QSAs) and consultant using subjective interpretations, existing guidance either too prescriptive or too vague, scope missing critical systems that could risk cardholder data, overly broad scope and excessive testing costs, excessive subjectivity and inconsistency, poor use of scarce resources, no meaningful reduction in risk of data breaches, and so forth.
For years, I have been studying the PCI DSS compliance problem, as well. I have noticed many similarities to the PCI compliance challenges and the “SOX-404 Is The Biggest IT Time Waster” wars in 2005. I was part of the leadership team at the Institute of Internal Auditors (IIA) where we did something about the it. We identified inability to accurately scope the IT portions of SOX-404 as the root cause of the billions of dollars of wasted time and effort, while not reducing the risk of financial misstatements.
I propose to present the two-year success story of the IIA GAIT project and how we changed the state of the IT audit practice in support of SOX-404 financial reporting audits. We defined the four GAIT Principles, which could be used to correctly scope the IT portions of SOX-404. We mobilized over 100K internal auditors, the SEC and PCAOB regulatory and enforcement bodies, as well as the external auditors from the 8 big CPA firms (e.g, Big Four and other firms doing SOX advisory work). In short, we made a difference, in a highly political process that involved many constituencies.
I am attempting to do something similar with the PCI Security Standards Council, through my work as part one of the leaders of the PCI Scoping SIG (Special Interest Group). My personal goal is to find a “third way” to better enable correct scoping of the PCI Cardholder Data Environment, and create a risk-based approach of substantiating the effective controls to ensure that cardholder data breaches can be prevented, and quickly detected and corrected when they do occur.
My desired outcome is to find fellow travelers who also see the pile of dead bodies in PCI compliance efforts, and work with those practitioners to catalyze a similar movement to achieve the spirit and intent of PCI DSS.