When I started writing this post, I was trying to think of a metaphor for a map and a journey of some sort, but everything came out dripping with Cliché Cheese1 or would have made sense only to a limited audience (Shout out to the P1, between the devil and the deep blue sea, and kick the tires and light the fires… as it were). The point I was trying to make, however, was in light of PCI, we seem to be navigating a changing world with a semi-static map.  Like that GPS I bought seven years ago that freaks out every time I drive on a road that was completed four years ago.

Grand Central terminal, Jul 2008 - 05, by Ed Yourdon

As I wrote about last week, the Council has now extended the lifecycle to every three years, which overall I think is a good thing. But what is missing is solid guidance from the Council (not speculators) on where this thing is going between those updates.  Using a somewhat recent example, application vulnerabilities were on the rise long before the infamous Requirement 6.6 was introduced into the standard. Having some basic thoughts on Web-Application Firewalls and code reviews before the requirement was introduced would have at least started the discussion.  It’s not like all the sudden electronic commerce was a big thing after PCI 1.0 was released.

What the Council needs is a best practice area that constitutes recommendations from industry groups and the SIGs that has been vetted by the Council. This list of best practices would be technologies or processes that companies should become familiar with because they stand a good chance of being incorporated into the standard. Right now, it’s impossible to know definitively what the Council is “thinking.” Sure, we have the PR-driven evangelism2, but what we don’t have is a concrete picture on where they think the future of PCI DSS is going.

Because, frankly, it doesn’t matter what guys like me think.

Providing this forethought allows merchants and service providers to at least get a LITTLE bit of direction from the Council which helps:

  • Frame the budgeting process
  • Prioritize IT projects
  • Strategies on a three or five year roadmap

Imagine if the Council had a place that listed three to five technologies as beneficial to protecting cardholder data and key items it was considering for future versions of PCI DSS. As an industry, I believe we would actually see a few early adopters in the form of companies with savvy CISOs that get more input into their process and can better frame their requests to the rest of the executive team3.

This post originally appeared on BrandenWilliams.com.

  1. It’s somewhere between month-old shredded Cheddar cheese that you would toss on some chips and zap for “nachos,” and that orange substance you get on nachos at a high school football game. []
  2. According to Russo, this is going to change, but we’ve not seen much up to this point that falls outside of this category in my book. []
  3. I know this is a little pie in the sky, but there are some savvy folks out there that would be willing to stick their neck out if they knew the rug wouldn’t be pulled out from under them. []