Pages

Monday, August 25, 2008

Gartner's Avivah Litan on PCI Version 1.2

In an article pubished in ComputerWorld last week, Avivah Litan, distinguished analyst at Gartner shared her thoughts on the summary of changes of PCI 1.2. 

Here they are:

The new version is a "definite improvement" on the existing PCI standard, said Avivah Litan, an analyst at Gartner Inc. But, she added, the PCI council appears to have missed a chance to introduce some other long-needed changes. 

According to Litan, one of the biggest issues with the PCI standard is that it makes very little distinction between networks belonging to large companies that process large volumes of card transactions and those belonging to businesses with much smaller transaction volumes. In large, complex network environments, it's often hard to say what exactly is covered by PCI and what isn't, she said. The standard, Litan claimed, allows for too much interpretation and leaves it entirely to PCI assessors to determine the scope of what needs to be protected.

Moreover, the standard is targeted primarily at e-commerce systems and isn't always clear on how the requirements should be applied in highly distributed brick-and-mortar environments, Litan said. For instance, many retailers continue to connect servers at each of their stores to systems in other locations but thus far, at least, the PCI standard has provided little guidance on that risky practice.

Litan said there also is considerable ambiguity surrounding the requirements for third-party service providers, such as call centers that might be processing cardholder data on behalf of retailers. "What are your obligations," she asked, "if you are taking in card numbers and phone numbers and entering them into systems that are not yours?"

Another key missing element is guidance on how end-to-end encryption of cardholder data would affect a company's compliance obligations, Litan said.

To Litan, the new version of the standard would have been an ideal opportunity for the PCI council to have incorporated language clarifying such issues. "The questions that come up every day are not addressed at all by this upgrade," she said. "This is just really more of tinkering around the edges."