Out of Clutter, Find Simplicity
by James Seaman
"There are three ways of dealing with difference:
By domination only one side gets what it wants; by compromise neither side gets what it wants; by integration we find a way by which both sides may get what they wish."
- Mary Parker Follett
After more than 30 years in the Protective Security industry, I decided that I would author a book on an often misunderstood and underappreciated topic: Payment Card Industry Data Security Standard (PCI DSS).
Don’t get me wrong there are some extremely knowledgeable PCI DSS subject matter experts but equally there are many more who regard this as an extremely complex controls framework, or who resort to a purely auditing mindset.
As a result, the business benefits of PCI DSS are not conveyed to the key decision-makers and the compliance efforts become a matter of business’ being pressed into doing the very bare minimum needed to ‘tick the various PCI DSS boxes’.
Many of you with have had the very same experiences, trying to align your payment operations to the most appropriate Self-Assessment Questionnaire (SAQ), e.g.
Extract from Acuity STREAM
The very structure of the PCI DSS controls framework provides business’ with a unique approach to help reduce the risks associated with the storage, processing or transmission of cardholder data.
At the heart of an effective PCI DSS protective security strategy is understanding how to apply an integrated approach, to ensure that all the complimentary and supporting controls can work in harmony with each other.
Additionally, with enhancements to various regulatory requirements (e.g. EU-GDPR, PIPEDA, CCPA, POPI, PDPC, etc.) PCI DSS can be an essential component to help business’ to enhance their overall security culture and to compliment other organisational protective security strategies.
The aim of this publication is not to regurgitate the content of each and every PCI DSS control (as your team members would need to be familiarised with the controls (for which they are responsible for), from the current version of PCI DSS (made freely available for you by the PCI SSC).
No, the aim is to help you understand the benefits to your business, by understanding the similarities to the measures applied for the mitigation of mission critical UK military assets.
You only need to read the various payment card data breach investigations and industry reports to realize that something in PCI DSS is not working.
How can this be? PCI DSS has been in place (in its current form) for over 15 years.
Is PCI DSS not fit for purpose? How can this be? The controls framework has a strong heritage and is continually evolving.
Is it too complex and too difficult to achieve and, more importantly, maintain? The framework is structured in such a way as to help business’ reduce their risk profiles, whilst minimising the potential attack vectors that can be exploited by opportunist attackers.
My career in protective security started during my RAF Police career, where I spent over a decade employed on Counter Intelligence operations. I guess this start was a gift, as in the UK military it was never a case of doing the bare minimum to ensure that the mission critical assets were adequately protected.
Many of my experiences, having transitioned across to the corporate environment, was far from being on an equal setting. In fact, I can recall during one of my physical security reviews of an onsite data centre being told by my boss, “The client doesn’t need military grade defences, they just need to ensure that the bare minimum has been implemented!”
The reason for this. The client had made a compliant against the fact that I had identified a risk that might be an issue for their PCI DSS assessment. However, they were a financial institution that had previously undergone numerous PCI DSS and ISO/IEC 27001 assessments, and this issue had never been identified.
What was the risk? The Automated Access Control System (AACS) relied on a magnetic lock release but during the installation, the engineers had fitted the mounting plate to the outside of the security door frame. Consequently, armed with just a ‘cross-head’ screwdriver an attacker could gain unauthorised access to a critical facility.
- ‘Ticking the PCI DSS box’, this had been previously deemed as being PCI DSS compliant but was this really appropriate to help mitigate the risk and help them to be secure?
Now, I’m not saying that my assessment was any better or worse than their previous assessments, however, my previous military training and experiences had taught me to look at things through the eyes of an opportunist threat actor.
Whether you are a seasoned security professional, someone just starting out in the industry or a business decision-maker, I strongly believe that you will gain a great deal from reading of my career exploits, as they apply to the PCI DSS controls framework.
Much like terrorist and insurgents’ activities against the military, today’s criminals are continually carrying out hostile reconnaissance seeking to identify opportunities to infiltrate businesses, with a view to gain unauthorised access and to exfiltrate sensitive data assets for their monetary gain.
Through reading PCI DSS: An Integrated Data Security Standard Guide, you will gain a greater understanding of the benefits the PCI DSS controls framework can bring to your organisation. Additionally, it will help you to understand the objectives and intent of the various PCI DSS structure (6 goals and 12 requirements), and how some of the PCI DSS controls are designed to be complimentary to one another.
This book has been developed so as to compliment the extensive resources provided by the PCI SSC and to help business to gain a better appreciation for the PCI DSS controls framework’s effectiveness for reducing the risks to your company.
Additionally, this improved understanding should help you develop an enhanced PCI DSS strategy and, thus, help make the annual PCI DSS validation less painful.
Protective Security should be seen as a key business driver, helping your organisation to maintain secure and operational critical assets, with PCI DSS having been specifically developed for the protection of your payment card systems and operations.
Failure to correctly connect all the PCI DSS jigsaw pieces, could increase the risks to your business. However, payment card operations can be extremely varied between one business and another and this needs to be addressed as a team effort (Top-Down; Bottom-Up) to ensure that everything is applied in harmony for the greater good for your organisation.
PCI DSS is something that should not be feared, but something should be embraced for the greater good.
I hope that by reading my insights and views on PCI DSS, you will gain a new found appreciation for this often underappreciated data security framework.
About the Author
James (Jim) Seaman has been dedicated to the pursuit of security for his entire adult life. He served 22 years in the RAF Police, covering a number of specialist areas including physical security, aviation security, information security management, IT security management, cybersecurity management, security investigations, intelligence operations, and incident response and disaster recovery. He has successfully transitioned his skills to the corporate environment and now works in areas such as financial services, banking, retail, manufacturing, e-commerce, and marketing. He helps businesses enhance their cybersecurity and InfoSec defensive measures and work with various industry security standards.
This article was contributed by James Seaman, author of PCI DSS: An Integrated Data Security Standard Guide.