Thursday, April 30, 2009

Risk-based PCI Assessment?

David Taylor, founder of the PCI Knowledgebase, Research Director of the PCI Alliance and a former eCommerce and Security analyst with Gartner, writes in a guest editorial in StoreFront Backtalk that the "grading system" used for PCI-compliance is counterproductive and unrealistic.

"PCI Assessments – whether self-assessments or assessments by QSAs – are generally regarded as being valid only for a point in time. But when is that point in time? Is it the day the ROC or SAQ is signed by the assessor merchant, or the day the assessment has been signed off on by the acquirer, or the day that the ROC or SAQ is reviewed and approved by the card network(s)?

"How does a retailer know when that point in time ends? The technical complexity of the controls is inconsistent with the grading system that requires 100 percent to be compliant. Great standard. Bad grading system.

"Thanks to the grading system, and the fact that many of the PCI controls are 'volatile' and can be made ineffective by simple configuration or rule changes, this technically means that an organization may never actually be PCI compliant. That’s because, for a typical Level 1 merchant, an assessment will take more than a month, sometimes several months. Thus, it is very possible that between the time the first controls were tested and the time the last controls were tested, changes were made to the first controls such that they are no longer 100 percent compliant."

The grading system also encourages merchants to shop around for "easy" assessors. "It’s not that these merchants don’t want to be secure. It’s just that they object to being held to a standard where they have to score 100 percent to pass, and get fined if they don’t achieve it. Again: great standard, bad grading system."

Click HERE to read about "risk-based" PCI assessment.

No comments:

Web Analytics