Welcome to NBlog, the NoticeBored blog

Like the finer things in life, quality trumps quantity.

Nov 20, 2013

PCI, meet Security Awareness



Whereas current and previous versions of PCI DSS, the standard for securing credit card data, have mentioned the need for security awareness, the forthcoming PCI 3.0 release will be more forthright on the need for security education and awareness.

According to the official change notice, “Lack of education and awareness around payment security, coupled with poor implementation and maintenance of the PCI Standards, gives rise to many of the security breaches happening today. Updates to the standards are geared towards helping organizations better understand the intent of requirements and how to properly implement and maintain controls across their business. Changes to PCI DSS and PA-DSS will help drive education and build awareness internally and with business partners and customers.”
The underlying issue is that, without adequate awareness, other information security controls are more or less pointless. I suspect PCI 3.0 will focus on ensuring that PCI security requirements are very clearly expressed to the user organizations’ management ... leaving it to them to cascade the security requirements down to the relevant staff and IT professionals as they see fit. 
A cynic might argue that PCI-DSS is more a legal device for the credit card companies to avoid liabilities arising from security failures at merchants and other card processors, than a security standard. Preventing a loss of confidence and consequent collapse of the credit card industry is, not surprisingly, the industry's overriding concern. Actually protecting members of the public against identity theft/fraud, privacy breaches etc. is a secondary consideration. 
In reality, PCI compliance is just part of an organization’s information security concerns: a well-rounded information security awareness program helps protect all information assets, including credit card data, trade secrets, other personal and proprietary information, business strategies, financial data, printed/written information, even intangible forms such as knowledge, experience, expertise and ideas. There’s far more at stake here than mere PCI compliance!
I'll go a step further. Effective information security awareness programs secure business advantage, going well beyond merely avoiding nasty stuff such as the contractual liabilities and adverse publicity arising from PCI failures. They position and promote information security as a business enabler, a tool that enables the organization to conduct business activities that would otherwise be too risky. Awareness is the oil that slips security quietly into place. A security-aware workforce appreciates the need for security, understands the purpose, and behaves securely by default - even without the PCI auditors breathing down their necks. 
Doing security awareness purely for compliance reasons is a very myopic approach. You're missing out on the business benefits of a strong security culture that encompasses information security as a whole, at all levels of the organization.  It's needed for governance and risk management reasons.
Get it right and PCI compliance is an incidental side-effect, not a driver.