Standards don’t move fast enough

By Mike Rothman

Is it clean coal, at least?Branden Williams is exactly right: 2013 is a pivotal year for PCI DSS. A new version of the guidance will hit later this year.

So why is 2013 so important for PCI DSS? In this next revision (which will be released this year, enforced in 2015, and retired at the end of 2017) the standard has to play catch up. It’s notoriously been behind the times when it comes to the types of attacks that merchants face (albeit, most merchants don’t even follow PCI DSS well enough to see if compliance could prevent a breach), but now it’s way behind the times on the technologies that drive business.

Enforced in 2015. Yeah, 2015. You know, things change pretty quickly in technology – especially for attackers. But the rub is that the size and disruption of infrastructure changes for the large retailers who control the PCI DSS mean they cannot update their stuff fast enough. So they only update the DSS on a 3-year cycle to allow time to implement the changes (and keep the ROC).

Let’s be clear: attackers are not waiting for the new version of PCI to figure out ways to bust new technologies. Did you think they were waiting to figure out how to game mobile payments? Of course not – but no specific guidance will be in play for at least 2 years. Regardless of whether it’s too little, it’s definitely too late.

So what to do? Protect your stuff, and put PCI (and the other regulatory mandates) into the box that it belongs. A low bar you need to go beyond if you want to protect your data.

Photo credit: “Don’t let this happen to you! too little, too late order coal now!” originally uploaded by Keijo Knutas

No Related Posts

If you think PCI is bad, have you seen the mess that is the NERC-CIP?  Version 3 is currently enforced with version 4 mandatory compliance date coming soon.  However, there is a recent proposal to effectively retire version 4 before mandatory compliance and replace it with version 5.  BUT, companies still have to prepare for version 4 mandatory enforcement until the final decision to move right to version 5 is made.  What?!?!

This is the reality when you get away from a risk based and principles based approach to rule making and get into the detail.  It works great for building codes, not so great for information security.  As long as standards makers fial to learn this lesson, their standards will be increasingly less relevant.

By ds

If you like to leave comments, and aren’t a spammer, register for the site and email us at and we’ll turn off moderation for your account.