Call made for PCI requirement on setting policies to be more prominent
Call made for PCI requirement on setting policies to be more prominent

Requirement 12 of the payment card industry data security standard (PCI DSS) needs to become requirement one.

According to Mathieu Gorge, CEO and founder of Vigitrust, requirement 12, which states ‘Maintain a policy that addresses information security' should be far more important to businesses than its low position on the 12 steps suggests.

Speaking at an event in London, Gorge said that he welcomed new guidance introduced among version 2.0 at the start of 2012, but being so low down meant that it may not be seen as a priority, and he called upon the PCI's special interest groups to ensure that it has more of an influence in the next version of the standard.

He said: “It can be a tick-box exercise, so I would like to see requirement 12 be higher and an exam needs to be done, but you cannot secure the human brain of the employee and you need them to work.”

Talking to SC Magazine, Gorge said that the requirement, talking around setting policies and awareness training, would be obsolete if a firewall were to be misconfigured or instructed to ‘accept all'. He said: “It should only accept with a change request and get rid of a test rule, but a practical approach will reduce risk and I totally support.

“What worries me is that it is not good enough. You put solutions in place with controls but the way the business is working, with processes in place and good technical security, you are securing against yesterday's threats. How can you improve your technical security score if you don't know the score?

“You can put in a firewall, log management and put in proper policies to say what to do. The ISO standard starts with policy, the PCI council should leave the practical approach as it is but move requirement 12 so it is first.” He later said that it should be moved to requirement two or three as while it is at the end, people may not see it.

Jeremy King, European director of the PCI security standards council (SSC) said that the standard was not  produced as a prioritised approach, as they were never written as a list to act upon.

“They are different requirements for you to do some from all, not just all from one,” he said. “If you get one right you will fight 92 per cent of the attacks and risks. It is about people, process and technology. You cannot throw technology at it but if you don't have policies you cannot do all three.

“We are working on getting better at understanding for smaller merchants as the standards were written for security organisations with full-time security teams and we are trying to simplify.”