PCI-DSS is the Payment Card Industry Data Security Standard. If you are accepting credit cards for payment, you are probably aware of this standard and its requirements. In order to comply with PCI-DSS you have to be compliant with over 200 requirements. These requirements are partly very technical/specific and partly very general.
One approach (the most often seen one) to implementing PCI-DSS is to get the requirements document, and
- compile a huge check list, one item per requirement
- find for each requirement the cheapest/easiest solution
- hire a PCI-QSA (Qualified Security Assessor – your external auditor) to attest compliance
While this approach seems at first glance ideal, it is in most cases neither the best nor the cheapest. So, what is wrong with this approach?
In case of a security breach, questions will be asked by the involved card brands. If you just bought yourself a shiny new set of security policies to fulfill PCI-DSS requirement 12.1 or if you just
copied a generic risk assessment from the internet to comply with PCI-DSS 12.1.2, this will probably be noticed by a team of investigators. Should the involved card brands come to the conclusion that
you were not compliant with PCI-DSS at the time of the security breach, this will probably cost you much more money than originally saved during PCI-DSS implementation (no matter if your PCI-QSA attested you compliance some time ago).
Another issue is real security vs. perceived security. Just implementing the PCI-DSS requirements to the letter will not necessarily improve your actual security status. To implement sound information security, a security strategy based on your specific risks is required. The controls chosen to mitigate your risks are the ones which will actually improve your overall security.
So, up to now we talked about the problem. Let’s now talk about solutions.
The basis for a strategic approach to information security is a Management System (MS). This MS is usually based on ISO 27001 (in which case it is called ISMS – Information Security Management System). If you implement your information security based on ISO 27001 (you must not be ISO 27001 certified for this), you will have a working ISMS and fulfilled some PCI-DSS requirements. When considering your controls/measures based on your compiled risks, you align your controls in compliance with applicable legislation (e.g. in Germany the Federal Data Protection Act), with any contractual requirements, with your own security policies and with all security standards applicable to you (e.g. PCI-DSS). This is called an Integrated Management System.