Going against the grain isn’t easy. Go back through history and look at individuals that failed and succeeded doing just this. Most of them had incredible hardships and made huge personal sacrifices, including many who gave their life to the cause.

OK, so I suppose I should take a moment to clarify. Changing the rules CAN work, just not very often, and none of you are really willing to die changing PCI DSS, are you?

Didn’t think so.

Fight Club, by Polina Sergeeva

When PCI DSS was becoming more relevant, I saw two distinct camps of individuals responding to the movement. Typically the security folks were in favor of PCI DSS as they saw it as the justification to get the things they needed to get their jobs done. “See Mr. CFO?PCI DSS requires encryption! Now let me go buy this fancy encryption wingding!”

Not everything was rainbows and gumdrops, however. Those on the negative side were typically the IT (because they felt like PCI DSS was being done TO them) and Finance (because they had to pay for all this stuff) folks. They used their brain power to find ways around meeting the actual requirements, namely by misusing the concept of a compensating control. Sitting in a meeting between these two teams provided hours of entertainment over my career. I never had to break up a fist fight, but it’s been close.

I have vivid memories of CFOs and CIOs screaming at me over PCI DSS (which, for the record, I did not author a single word of), and telling me they are picking up the phone and calling the president of Visa RIGHT NOW to tell him why this won’t work. This was essentially an analog of a political debate. Neither side really changed their opinions; the discussion simply re-inforced each side’s prior beliefs and caused their heels to be further dug into their concept of right.

Nowadays I observe the same two camps, but they are much closer to the middle from their previous extremes. Security folks realize that not every control is relevant to the entire organization, no matter their personal preference. IT and Finance folks realize that while they may not agree with everything inside PCI DSS, it does lower operational risk when implemented properly.

That said, there are still a few folks today that are still pushing back at PCI DSS instead of figuring out ways to work (and WIN) with the new rules. If you are a merchant fighting with PCI DSS, understand this.

  1. You will not change the rules.
  2. You must cope with the “new” world order.
  3. Creative use of compensating controls will work to your advantage.
  4. Your value will be judged by how you secure your enterprises and prevent breaches, not by how you fight compliance.

This post originally appeared on BrandenWilliams.com.

Possibly Related Posts: