PCI compliance is Zen-like. It's hard to determine, and even when a letter declares a company PCI-compliant, that declaration can always be retroactively reversed later - such as if you're breached. Yes, when you most need to be able to say that you are PCI compliant is when it's taken away. Isn't life wonderful?
What prompts this observation was a news release that crossed my desk a few days ago from Tenable Network Security. The release said the company had a new offering "that continuously monitors and maintains Payment Card Industry Data Security Standard (PCI DSS) compliance posture." Monitors? Yes. Maintains? That is not something that software - any software - can do.
That's more the fault of how PCI works than anything that Tenable does - and it's fair to say that almost every security company oversimplifies PCI compliance.Tenable is selling an idea that retailers would so very much love to be true. But it's not.
First off, for a merchant to be considered PCI-compliant involves an opinion from the QSA (qualified security assessor) it pays for, plus the agreement from the relevant payments processor and sometimes one of the card brands (Visa, Mastercard, Amex, Discover, etc.) themselves. Those decisions are often made on security issues, but political and profit motives can also play a role.
This gets worse. Let's say that the QSA finishes the assessment on July 1. It may take a couple of months before everyone signs off and the merchant gets a letter granting PCI compliance. Let's say that letter arrives Sept. 1. It doesn't say that the retailer is compliant. It merely says that back on July 1, it was compliant. And as mentioned above, even that will be stripped away if it's really needed, such as if a breach happens.
The reason why compliance is tied to the date the assessment was wrapped is that, in theory, any change at all to anything on the network could make that merchant noncompliant. I get that. It makes sense. But what good is PCI compliance if a retailer never knows if it is compliant? It's this amorphous concept that is unattainable.
This brings us back to Tenable's claim. No software can maintain compliance. When I reached out to Tenable, it quickly conceded the point and changed the release on its site to say that its product "continuously monitors Payment Card Industry Data Security Standard (PCI DSS) compliance posture." Better, but no cigar.
The idea of monitoring suggests that the software will flag when compliance is there and when it isn't. Unfortunately, given how PCI works in the U.S., that's also not knowable.
Sign up for CIO Asia eNewsletters.