A few comments and observations regardingViews regarding PCI compliance are mostly positive
Most IT security practitioners believe...
Sure, they are the ones for whom work is being generated by PCI! :) A survey of business owners/CEOs would be much more interesting.
A majority of survey respondents were "very confident" they could pass an assessment today.
Hmm....these respondents need to read the Verizon 2010 Payment Card Industry Compliance Report:http://www.verizonbusiness.com/go/pcireport where 78% were non-compliant at IROC. My experience also is that organizations are not nearly as compliant as they think they are. They tend to make assumptions without actually reading the requirements.
The card brand, however, reports only "moderate" compliance for smaller retailers.
I bet that is putting it mildly!
"The people and education is a big issue that maybe is more challenging to address than just putting a technology in place,” Kost said.
Definitely! We were just discussing this very issue on here...attitudes are hard to change.
Needing to upgrade antiquated systems to bring them into compliance is the second greatest pain point...
Ditto again. I have a client running Fedora Core 3 systems (not necessarily in the CDE) with so much stuff all on one system (against best practice and a violation of PCI if in scope) that it has been nearly two years and we still have not been able to move/upgrade it!
Dan Langin, a Kansas lawyer who advises clients on PCI compliance, told SCMagazineUS.com on Wednesday that organizations commonly have challenges with the step that requires they maintain a policy that addresses information security.
I'll have to remember that name. Never before ran into a lawyer who specializes in PCI.
This requirement is somewhat objective and it can be difficult to determine whether the organization is actually in compliance, he said.
And I think he means subjective, not objective... And this is the point where one of my clients is currently stuck. They have most of the technical requirements met but need to do some documentation and education of policies.
The cost to achieve PCI compliance is often tied to an organization's size, with larger companies spending more than their smaller counterparts, Kost said. Sixty-two percent of all respondents said they have spent at least $100,000 on compliance over the past five years.
It is also tied to "technical debt". If you have a very messy environment with interdependencies all over the place running on systems which have been EOL for ages it is going to cost a whole lot more. Such is the case with the Fedora Core 3 client above.
Most organizations plan to increase PCI compliance spending in 2011, with some organizations planning to invest in technologies that allow them to comply in virtualized environments, according to the survey.
Meanwhile, 60 percent of respondents said they are using another emerging technology – point-to-point encryption (P2PE), sometimes referred to as end-to-end encryption
What sort of technologies would they need to allow themt o comply in virtualized environments? The virtualization container is to be secured to at least that of the highest level virtual machine running in it.