While I’ve been neck deep in Rails 3 and Paypal integrations (hint, it sucks if you just want to do a complete outsource) I took a few minutes to think about the impact that PCI DSS had on my architectural decision. I actually took the advice I give freely which is to completely outsource my payments for this small side project I am working on. Just like most businesses, I have come to hate credit cards—yet, as an individual I depend on them every single day.
But we’re now in 2013, and it’s not just the ninth anniversary of PCI DSS with the fourth revision of the original 1.0 version. It’s the year of mobile POS (mPOS). Why, just this weekend I had the pleasure of using one myself—TabbedOut (which totally rocks). And as I have discussed, there is a gray area around mobile payment implementations when it comes to PCI DSS. And since the available documentation from the Council falls woefully short when it comes to progressive technologies, 2013 might be the most important year for PCI DSS yet.
The Council will tell you that PCI DSS Compliance does not equate to security, and that PCI DSS should serve as a foundation for any security program put into place to protect an enterprise. PCI DSS has done a ton to bring information security awareness and maturity to merchants—a fact we can’t deny. But we may be getting close to the end of its useful life considering the advancements in technologies over the last decade.
Step back in time for a moment and think about how we did payments ten to fifteen years ago. First, we still built data centers to run IT. Second, phones were a lot heavier and texting was a pain in the rear. And finally, magstripe payments were pretty much the standard around here (though globally EMV was starting to replace outdated magstripes). How much has technology changed? An unbelievable amount, specifically on the component sizes.
So why is 2013 so important for PCI DSS? In this next revision (which will be released this year, enforced in 2015, and retired at the end of 2017) the standard has to play catch up. It’s notoriously been behind the times when it comes to the types of attacks that merchants face (albeit, most merchants don’t even follow PCI DSS well enough to see if compliance could prevent a breach), but now it’s way behind the times on the technologies that drive business. As I’ve demonstrated, you can take what is in the standard today and make virtually anything comply with PCI DSS, but the amount of varied opinions on what constitutes proper controls for compliance continues to grow while the gap between compliant and not widens.
It’s now to the point that companies are just doing what they need to do with their business and avoiding the PCI DSS discussion altogether. They simply cannot wait to be outpaced by their competitors. They build security into the offering and ignore PCI DSS. If this is the case, then isn’t PCI DSS losing its relevance? Maybe it’s becoming the cathode-ray tube of the payment space?
The new standard will be released mere months from now, and you can expect a review here as well as a book offering (self-published as an addendum to the PCI Compliance book), but if the new version of the standard cannot meaningfully address technologies of today and tomorrow, it’s importance will dwindle. I’m not saying it will go away—YET. But the way we think about PCI DSS will be dramatically different over the next few years.