I ran a couple of sessions at RSA Europe 2011 to talk about PCI DSS and Risk Based Compliance.
What struck me was the make up of the audience. One or two years ago, I could have put good money on the make up of the audience being 90% merchants, but now, an equal balance of issuers/acquirers, service providers, mobile payment providers, merchants and people from outside of the UK trying to get a hold on what PCI DSS is all about.
The majority of the audience were under the impression Risk Based Compliance was a shortcut, method or tactic to avoid PCI DSS Compliance altogether, which was even more interesting.
To reiterate, Risk Based Compliance is something that banks have put together to enable better progress reporting from Level 1 merchants, as most appear to be “stuck” at having completed all the quick wins, have 60-70% compliance scores.
The banks have thought “great – they're almost there!”, and in my opinion, have assumed that each PCI DSS control is equally weighted, requires equal effort and cost and that a score of 60-70% is actually quite good.
The introduction of TIP in the states was brought up, where it has been widely been promoted as a shortcut to PCI Compliance. As long as 95% of in store transactions are taken via an approved chip and PIN device, merchants only need to validate against milestones 1/2 and be compliant against milestones 1/2/3/4 to avoid any breach fines.
TIP is taking off in the UK, even though the other card schemes that make up the council haven't quite yet agreed to it, and indeed is an easy win as 99% of the market is already using chip and PIN devices (yes, some merchants still don't…).
But hit the US, with 1,000+ banks and limited EMV architecture, then there's a HUGE step to be taken before any merchant can even get the infrastructure in place and start validating against TIP. We're at least 2 or even 3 years away from the US adopting chip and PIN on a large scale. The TIP carrot might help.
We also covered off the changes in PCI DSS v2.0 and again I had to tell everyone there hadn't been any (major ones), although a few did pipe up and say “our QSA” or “our vendor” said there have been lots of changes and needed to know what to do next. Reading the Summary of Changes Document would be a good start, as it details exactly what typos have been corrected in PCI DSS v2.0 over v1.2.1.
The points I draw from this are that there is still evidently a “quick-win” culture out there, that does nothing to improve security, all it does is boost compliance score. The schemes and banks have picked up on this, and moved risk assessments to milestone 1, as this should catch any medium/high/critical risks that quick-win compliance hasn't covered.
Secondly, the applicability of TIP and Risk Reduction Programmes in relation to PCI DSS, are reserved for large merchants. If you're level 2, 3 or 4, then self assessment is still perfectly acceptable. Some larger level 2's might benefit, but generally speaking, self assessment is all that is required. Plus of course actually being compliant, as opposed to ticking the boxes…
To conclude, the RSA Conference was great fun, but delegates just seemed to be drawn to those speaking about FUD. They weren't really interested in my attempt-to-educate at all, really, which was a shame. Do I really have to make a move into the entertainments business?? 🙂
I've changed jobs in the meantime – am now CEO at 2-sec. Watch this space…