Don't hinge security on PCI DSS

It may be beneficial for all data centers to demonstrate compliance with the Payment Card Industry Data Security Standard (PCI DSS) as the guidelines provide good basic information security principles. However, organizations need to look beyond this standard, which was developed to protect customer data and prevent identity theft, and focus on what it means to protect their assets, note industry experts.

NeoSpire, a Texas, U.S.-based managed hosting service provider, told ZDNet Asia that companies are increasingly using the PCI DSS as a "security bible" to meet mandatory requirements such as Sarbanes-Oxley Act and the HIPAA (Health Insurance Portability and Accountability Act), even though they may not process payment card data.

Such organizations need to communicate their commitment to data security to their customers and apart from PCI DSS, there are few "well-defined and broadly-scoped" security standards that are widely recognized by the business community, Sean Burton, NeoSpire's senior director of security, explained in an e-mail.

Ovum's principal analyst Graham Titterington observed that PCI DSS is already in use by many organizations as a significant number of businesses handle credit card data. He noted that the security standard is unique because it is "very prescriptive".

"It tells you what you have to do rather than set out goals for what you should achieve," Titterington said in an e-mail.

According to Bob Russo, general manager of the PCI Security Standards Council, the "guiding principles and prescriptive nature of the standard make it an excellent floor" on which a defense-in-depth security strategy can be built.

"It is a solid group of recognized best practices that can be used as the foundation for a more comprehensive security program," he said in an e-mail.

Russo noted that the PCI DSS can be relevant to any organization because "whether you are a small merchant or a large multinational corporation, there are contractual and cultural obligations [stating] you have to protect certain types of sensitive data", such as credit card data.

"Your customers, your shareholders and those that you do business with all have a certain expectation of diligence if they trust you with certain sensitive data," he added. "You must do everything you can to honor those obligations because if you lose the data of your customers, you can suffer financial damages and the tarnishing of your brand."

Not enough to declare full security
However, Russo noted that PCI compliance does not equate to a properly secured organization as compliance is "simply a snapshot in time".

"Organizations must go beyond simply striving for a Report on Compliance (ROC) and focus on strong security measures," he advised. "Compliance and security are two separate things. You need to build security into your daily business process."

Rob McMillan, Gartner's research director for security risk and privacy, concurred. Organizations looking to protect the entire set of organizational information will find useful pointers in the PCI DSS, but the standard does not necessarily give these businesses everything they need, McMillan explained in a phone interview. For instance, it may lack the necessary precautions needed to protect intellectual property in data forms, which are different from credit card information.

"PCI DSS gives you a good basic set of pointers on good infosecurity practices; it's not the be all and end all," he said.

Rather than fixate on meeting a standard such as PCI DSS, organizations should instead focus on "doing security well" because that would naturally lead to compliance, McMillan pointed out.

A sound security strategy would encompass efforts to assess the risks, determine the organizational risk appetite and implement controls that will bring the risks to a level that the business can live with, he noted.

When it comes to assessing cloud providers, McMillan said, again, there may be some useful provisions in PCI DSS but it "probably won't cover all you need". For instance, one of the areas the standard covers is awareness and organizations need to consider what exactly this means when purchasing a cloud service.

"The problem with cloud services is you are now one more level removed from the technology and the way the technology and information is managed," he explained. "So you need to make sure you are very clear on the security outcomes you need and how you're going to ensure those security outcomes are met."

Titterington noted that the PCI DSS, even at the higher tiers where requirements are more rigorous, is focused on preventing data theft and therefore, do not make a comprehensive data security policy.

The Ovum analyst concluded: "My feeling about PCI DSS is that it has achieved a great deal and has brought security to people who are not technically savvy, but it is not sufficiently comprehensive to be used to certify cloud service providers or enterprise IT departments in general."