Page 31 - GS191102
P. 31
CoverStory
Glover agreed that defined, customized approaches would "Without a sound strategy to measure data protection
be more effective than compensating controls, which are effectiveness and sustainability, throwing money at data
typically used when situations don't exactly comply with protection does little to prove an organization is getting
the standard and can sometimes feel like a "temporary better at maintaining compliance," he wrote in the Verizon
fix." A customized approach eliminates the "get out of jail report. "This approach may lead to a false sense of security.
free" card feeling and provides a more permanent option, Many organizations appear stuck in a reactive cyclic
Glover noted. This approach would be a good fit for ma- pattern, focusing only on meeting baseline compliance
ture organizations with a real grasp on security and op- requirements."
erations, he added. Assessed entities would have to dem-
onstrate how a proposed approach would meet a required We must continue to provide guidance to the payments
objective. industry and help stakeholders develop and measure
the effectiveness and maturity of data protection, van
Aligning humans, systems Oosten stated, adding that sustainable processes must
Michael Magrath, director, global relations and meet regulatory requirements and maintain controls over
standards at OneSpan, said today's merchants tend to be extended periods. We must continue to help organizations
knowledgeable about multifactor authentication but fall effectively manage their control environments and achieve
short on identity verification. From an internal standpoint, a level of assurance and predictability for each core data
they may be lacking in administrative capacity or use a protection and compliance process, he noted.
third-party service provider. Participatory, collective future
When the council mapped the PCI DSS to the National Chris Bucolo, senior vice president, market strategy at
Institute of Standards and Technology (NIST) ControlScan said, "The council is really asking for lots
cybersecurity framework, aligning a range of controls and of input this time around, with the idea of addressing
publications, the section on identity proofing lined up evolving risks and threats. They are talking about it
perfectly on both sides, Magrath recalled. "I was in early being a process that stresses risk-based outcomes, with
meetings when NIST was drafting it," he said, adding that an emphasis on ongoing security and not a point-in-time
static passwords were replaced with non-static multifactor checklist."
authentication.
As he reflected on recent data breach activity, Bucolo said
Ciske van Oosten, senior manager, global intelligence at the PCI SSC will continue to focus on third-party service
Verizon Enterprise Solutions, and lead author of Verizon's providers and password security. As an enthusiastic
2019 Payment Security Report, recalled participating in member of the council's Small Merchant Taskforce,
early meetings when the PCI SSC was formed in 2006, and he looks forward to working with small and midsize
later collaborations with NIST. "I was part of the journey merchants as they review and comment on the PCI 4.0 Self-
in the early days, and it has been interesting to see the Assessment Questionnaire (SAQ). "In doing so, we have
strategic alliances that have formed over the years," he the opportunity to consolidate and streamline concepts
said. "As the program matures, you need resources to where possible," he said.
measure metrics. You need hard facts to drive to a higher
level of capabilities." "Data protection is not an IT problem," van Oosten said.
"Data protection is not a knowledge problem. Data
He went on to say that PCI DSS 4.0 will be the most protection, at heart, is a proficiency problem. And the
significant iteration of the standard to date. It will change problem of accessing, simplifying and controlling data is
how assessments are done. PCI compliance will no longer compounded by lack of information security proficiencies,
be a wash, rinse, repeat process. QSAs will no longer be whether they are in-house or outsourced. But I do believe
tied to compensating controls; they can freely design and we are moving in the right direction."
implement their own tailored, customized controls, he
stated. Miles affirmed that security is the goal and stakeholder
involvement is the key to getting there. "When security
15-year milestone standards are more widely used, the entire ecosystem is
As the PCI DSS celebrates its 15th birthday, breaches better for it," he said. "We can see these changes in DSS
continue to occur, underscoring the need for effective, 4.0 as a sign of things to come as the Council reworks all
sustainable control environments, van Oosten noted. standards and organizational structures to keep security
However, he pointed out that many enterprises continue to and stakeholders at the center of their world."
take a "check box" approach to compliance; as compliance
programs evolve and mature, they must also move from a Dale S. Laszig, senior staff writer at The Green Sheet and managing
reactive to proactive state. director at DSL Direct LLC, is a payments industry journalist and content
development specialist. She can be reached at dale@dsldirectllc.com
and on Twitter at @DSLdirect.
31
