Compliance is not just a pain in the tushy. While it can be difficult to achieve, the standards for compliance have a sort
of soft interpretation. For 508 compliance, there are elements that can be interpreted. Ultimately, a human being or group of human beings have to assert that a site is 508 compliant. Unless that person has the authority to officially dub a site compliant, it is compliance-minded. That’s all. Sometimes that is enough and the compliance police do not come looking.
I have written a bit about 508 compliance and W3C assessability standards. I am not a fan of standards that can be interpreted. That is not really a standard. PCI compliance is a bit nicer in that regard, so I will talk about it a bit today. Hang onto your hats. This is about as sexy as it gets.
There are 12 points (requirements, really) that must be satisfied for a site or site collection or System to be PCI compliant.
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security
First, what is the motivation behind this? Your safety as an online consumer, ostensively. If you read my blog on any kind of regular basis, however, I tend to think there are other forces at play. Just like SOX Compliance, PCI compliance
keeps a lot of companies in business. PCI Compliance experts. But they are not the genesis of this requirement. The credit card companies are. It limits their liability. It puts the onus on the site owner. I do not know if that is a good thing or a bad thing, but as with most things, I would bet the answer is “a little of both”.
So how do items like #6 become proven true or false? The Payment Card Industry Data Security Standards (PCI DSS) Information Security Policy & Procedures Manual sets forth these measures (requirements, really). And the reason I keep saying (requirements, really) is that requirements can be interpreted until UAT takes place. Sure, you can go Agile and you can go JIT, but it does not make sense to here. This is one occasion where yoru developers, stakeholders, phone support staff, and anyone who has anything to do with a transaction will be relevant is a very real and direct manner. You are better off, in my experience, joining forces with one of the organizations capable of dubbing you compliant early. That is in contrast to building, engaging, and changing/adapting. Ultimately, it will be up to your qualified PCI Compliance Agent if your application was designed with security best practices in mind, or if your application is secure. The way they determine this is up to them, although there is more detail behind these requirements – as you would expect with any project… a purely Agile approach would tend to leave people saying “that’s not really what I meant, so let’s iterate.” Why iterate when the deliverables are monitored by those who accept them and who know what they mean?
Point 6 “means”:
- Deliverable: A formalized Security Patch Management Program employee, complete with his/her roles and responsibilities.
- Deliverable: Comprehensive inventory of all “system components” directly associated with the Cardholder environment.
- Deliverable: Comprehensive inventory of all other I.T. resources not associated directly with the Cardholder environment.
- Deliverable: Subscribing to industry leading security sources and additional supporting resources for vulnerability announcements, and other security patch management alerts and issues.
- Deliverable: Procedures for establishing priorities in regards to security patch management. This will include, but is not limited to, the following: 1. Significance of the threat. 2. The existence and overall threat of the exploit. 3. The risks involved in applying security patch management procedures (its affect on other systems, resources available along with resource constraints).
- Deliverable: The creation of a database of remediation activities that needs to be applied.
- Deliverable: Test procedures for testing patches in regards to remediation.
- Deliverable: Procedures for deploying, distributing and implementing of patches and other related security hardening procedures
- Deliverable: Procedures for verifying successful implementation of patches and other related security hardening procedures.
These are not litmus test deliverables. They are required. The flaw is that we have requirements with detailed discovery yet the requirements are not positive assertions of anything but a hypothesis not proven true or false. They are pointers. Specific documents make up the larger requirement. This is fairly well defined, but still, there is that final UAT (that is indeed stretching it a bit but hopefully my intent is clear) where the dubbing agency says “Yes, PASS”. They are usually very willing to help you fulfill these requirements and create these deliverables.
To protect cardholders and personal information, organizations must not only employ best practices, but they must also pay to have themselves audited. This seems fair, I suppose. I also respect that this is not a rigid set of
requirements, but a yielding and forgiving one. It makes sense to temper things with a bit of reality. Still, it is not a standard, in my mind.
If a platform is ever able to say it is PCI compliant (or more likely, a framework), it would be very interesting. To build a framework so that departure from these guidelines is impossible would seem an attractive project for someone.
I am all for complaince, and I am all for standards, but I simply do not believe that PCI Compliance is a gauge against a standard. Advice: get audited by a PCI Consultant early. Let them tell you what they need. It may be less than you would do on your own and the money you spend on them will be money you save internally (lower project TCO). And as always, best practices in your SDLC and intelligent (common sense) design and architecture will be more valuable than whatever cute name you give your process.
AJ Ayer called something that could not be proven true or false “nonsensical”, but I think this is a little different than that. PCI Consultants need to be honest and earnest or they will have no authority. The intent, and the discipline, is valuable here, and I dig that very much.
Thank you,
Josh