While the Payment Card Industry Data Security Standard tends to draw a lot of criticism, some help is on the way with the PCI DSS 2.0 specification due Oct. 28.
While the new version of the PCI DSS standard doesn't ease up on requirements, it does help clarify terminology and, for example, allows virtual servers to be deemed PCI compliant.
That may not seem like a lot, but as Kurt Roemer, chief security strategist for Citrix and a member of the PCI board notes, PCI DSS tends to suffer from some irrational exuberance when it comes to auditing, so any additional clarification will be welcome.
Roemer says another plus is that the people who control the standards have agreed to update them every three years concurrently. That means that rather than being subject to a rolling series of updates, IT organizations can take a more holistic approach to PCI DSS compliance.
That holistic approach is critical, says Roemer, because the real issue is to balance the proper level of security controls with the actual amount risk. That means IT organizations and auditors should not be spending huge amounts of money trying to secure every little thing in the enterprise. And for smaller companies, it probably makes a lot more sense to rely on tokenization services in the cloud to process credit card data than to do it themselves.
Like all things related to security, there are no absolutes. As Roemer notes PCI DSS is meant to be a guide for bare minimum security requirements. But at the same time, if security is consuming an unreasonable percentage of the overall IT budget, something's very wrong in your efforts to find the balance between security tasks and the actual risks involved.