The Elephant and the Eye of the Needle

There's an ancient religious aphorism that it's easier for an elephant (or camel) to be threaded through the eye of a needle than it is for (insert your religious preference here). For some reason, while reading Jeff Hawkins' On Intelligence last night the thought occurred to me that PCI is the elephant and our limited budgets are the eye of the needle.

The cost of PCI compliance is getting to be quite staggering. According to a blog post from ElementPS in February, a Gartner survey found that the average Level 1 merchant spent $2.7 million on PCI compliance in 2008, while the average Level 2 merchant spent $1.1 million. In case you're wondering, that's a lot of money!

Toward this end, the PCI Security Council has released a "Prioritized Approach for DSS 1.2" that can help organizations better plan their compliance efforts. Of course, this report comes with the standard caveats that full compliance is still expected, there are no shortcuts, yada yada yada.

So, what's a person to do? Well, it seems to me that you have two choices: shrink the elephant or get a bigger needle eye.

Shrink the Elephant

The first recommendation in the Prioritized Approach is to perform data cleanup. I'd like to take this one step further and suggest that data should not be stored, period, unless there is a very, very, very compelling reason to do so. If data must be stored, then you should never look at outsourcing the card-related systems and applications to, in effect, pass the buck. Failing either of those, then it's brass tacks time, meaning it's time to sit down with the business and management and explain how much PCI compliance is costing them and lay out some viable alternatives (include the first two mentioned here).

One of the biggest problems I see today is that companies are a) conducting credit card transactions themselves, and b) storing credit card data, such as for recurring subscriptions. Culturally this is screwed up. (In fact, if you want a good business model for a startup, I'd suggest building a credit card processing company that provides uniquely indexed account numbers for customers in a snappy SOA/Web 2.0 framework with REST or SOAP XML interfaces and secure plugins that can be dropped into sites to handle the billing registration bits.) The business only needs to know what account to bill, when to bill it, and how much to bill it - there's really no reason that businesses should have to store the credit card data themselves. That data should be stored by a value-added processor.

It's time we break the current model in search of something more viable and valuable. Shrinking the elephant makes it much easier to pass it through the eye of a needle.

Bigger Needle Eye

In the end, despite the economy, it seems unlikely that businesses will be able to ditch all of their credit card data (barring the startup idea mentioned above). So, your next option is to get a bigger needle eye through which to pass this elephant. What I'm talking about here is budget, and the need to grow it accordingly. However, this growth needs to be smart growth. Adding to the budget just for the sake of adding to the budget is wasteful and silly.

There is much that can be accomplished with free and open source (FOSS) tools these days, but there are a few areas where commercial tools might be useful. Picking a few key projects with broader application beyond just PCI could demonstrate value beyond the immediate objectives. For instance, properly implementing ITIL within an IT organization can increase efficiency and effectiveness, resulting in happier customers and lower costs. ITIL also would help you achieve better patch management, vulnerability management, change management, and configuration management - all of which are required by PCI. Similarly, there may be broader benefits in the areas of identity and access management, as well as for logging and monitoring, through commercial solutions.

That being said, if you're to achieve PCI compliance without dumping all traces of cardholder data, then you're going to have to push for an increased budget. Even if you decide not to buy new tools, you're likely going to need additional personnel. All of these accomplish the same goal of making the eye of the needle bigger, increase your chances of passing the elephant through it.

(cross-posted from http://www.t2pa.com/cores/security-and-privacy/practical-security)

About this Entry

This page contains a single entry by Ben Tomhave published on April 2, 2009 4:03 PM.

No Joke - Follow Me @falconsview was the previous entry in this blog.

Sorry Anton, PCI Absolutely Is a Checklisty Distraction is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Monthly Archives

Pages

  • about
Powered by Movable Type 6.3.7