Compliance year in review: PCI DSS progress, yet confusion abounds


The article below is from and can be referenced at:,289483,sid14_gci1286583,00.html

( = After a year when compliance was top of mind for companies everywhere, amazingly enough, compliance is poised to remain a huge discussion topic within large enterprises for the foreseeable future. Many still struggle to assess the true impact to their environment of ongoing regulatory scrutiny. Before we ring in the New Year, let's take a look back at some of the big compliance issues we saw in 2007 and how the landscape may change moving forward.

You can't mention 2007 and compliance without uttering the "P" word. Of course, I'm referring to the Payment Card Industry (PCI) Data Security Standard. This year, PCI really came into its own with the acceptance of Data Security Standard version 1.1 and the compliance deadlines for Level 1 and Level 2 merchants.

The increased awareness and understanding that PCI is important has had a dramatic and positive impact on security efforts. In stark contrast to the nebulous and mostly ineffective HIPAA and GLBA standards, the 12 requirements of PCI DSS are reasonably specific about what is acceptable from a security controls standpoint.

Yet, there is always a downside to progress, and during the summer there were increasing rumblings that PCI was just "too hard." There were back-channel lobbying efforts to ease up some of the requirements, especially around secure application development and the protection of card holder data. Personally, I think easing up the PCI DSS standards just because "they're hard" is a terrible idea. The reality is, encrypting cardholder data at rest or providing compensating controls against a targeted database attack increases the security of the system. It's important to keep that in mind.

Of course, any discussion of 2007 is incomplete without talking about the TJX data breach. Even though the true extent of the data lost or systems compromise remains unknown, the incident caught the attention of every large company around the world. Security officers were able to use the "Let's not be TJX" rallying cry to get executives' attention and refocus resources on security and compliance efforts.

It also came to light that Visa had granted a compliance "exception" to TJX through 2008. Visa is still trying to wipe the egg off its face over that. The reality is, these kinds of exceptions undermine the entirety of the standard and make PCI largely a joke. It's interesting to see the statistics on how many Level 1 and 2 retailers are now PCI "compliant," but how many others have these exceptions?

Other then TJX, 2007 saw a few more large-scale data breaches, which opened up companies to compliance liability and potential civil liability on behalf of the customers who lost data. Organizations like TD Ameritrade and were high-profile examples of this, both suffering application-oriented attacks that exposed customer data. Most notable from a compliance standpoint is what you haven't heard from the U.S. government about these clear compliance violations. Will the US Department of Justice or the SEC go after these companies for Sarbanes-Oxley or any other type of regulatory violation?

Given that there were no "public executions" relative to these compliance violations, there is a distinct possibility that regulated entities will decide to take their chances against the hackers, hoping their number won't come up, as opposed to spending the millions required to achieve and sustain regulatory compliance. So if the US government or credit card companies don't go after these violators, the latest batch of regulations is just another addition to a long line of toothless legislation.

There were also a huge number of lost laptops that triggered the various data breach disclosure laws around the world. It continues to perplex me that field-level employees have tens of thousands (or even more) of sensitive customer records on their laptops. This has resulted in a mass-buying wave of laptop encryption products. Since organizations evidently can't stop employees from losing laptops, at least they can render them useless (besides the gray-market value of the hardware) to the criminal.

Speaking of disclosure, we didn't see the expected U.S. breach disclosure legislation, which means companies are still governed by the dozens of different laws on the books in almost every state in the U.S. A national law may pass in 2008, which would likely include input and requirements of a more global audience. This would mean standardized terminology and consequences of data breaches; it would be a positive development.

Another new product category emerged in 2007 to help address compliance issues. These so-called GRC (governance, risk and compliance) products are glorified workflow managers basically focusing on gathering data and presenting it within an audit context. I'm not only referring to log data, but also to surveys, assessments and other unstructured data that is required to prove compliance.

On one hand, the difficulty and horsepower required to manage all the data creates a clear value proposition for GRC products. But as with every other potentially hot market, an ongoing battle exists within the vendor community to figure out exactly what GRC means. In the early going, corporate customers end up just as confused as ever about how to solve their compliance issues.

Looking ahead, it's hard to envision 2008 being that different from 2007. We'll see more data breaches, more disclosures and probably more legislation and regulation. Companies will continue to spend money to keep their auditors happy and stay one step ahead of the compliance reaper. But until we really see an organization raked over the coals because of a compliance violation, we'll continue to deal more with the specter of compliance than the reality.