Risk, Risk Management and PCI DSS, part 2
You might have noticed things have gone a little quiet round here, as my last blog post seemed to get me into a spot of trouble…
Anyway. It’s certainly not my style to tread on the feet of a major UK acquirer and in the end I was asked to remove the names of the entities in question and delete the comments thread, which I’ve now done (btw it’s cached, let me know if you’d like the link!).
In general, acquiring banks seem very keen for merchant risk management programs to align, all fit together and be measurable in terms of a percentage score that they can then relay to the card schemes.
First off, this isn’t really risk management as you, I and other information security professionals see it. It’s a controls based approach that results in a score.
Secondly, if you’ve looked at taking a risk based approach to PCI DSS, then you’ll note that in most cases, it increases workload, as adds more controls, increases reporting requirements and sends waves of subjective confusion around the company.
How does the payment security risk of a hotel compare with that of a high street retailer, or an ecommerce retailer, for that matter?
By nature, some companies are just more riskier than others when it comes to payment card security, and it’s that balance a score-based approach will not address.
Risk management also introduces a lot of subjectivity. One board of a company might approach risk management in a completely different way to another, and push areas of high risk under the carpet, mostly non-intentionally.
So by introducing risk based compliance, we’re ending up with a scenario where PCI DSS goes out of the window and companies submit risk assessments instead, which give even more scope for the truth to be warped.
It’s an interesting area and I’m looking at it closely. I suspect that risk based compliance will be reserved for the Level 1 Merchants only, that have had challenges in adopting PCI DSS word for word, but it will be quite intriguing to see the volumes this approach will reach.
Risk management is NOT risk measurement. As soon as you try and slap relative scores or numbers onto risk, then it’s true value flies out the window.
Merchants might all be Merchants, but every merchant I’ve had the pleasure to deal with over the past five years, and we’re talking close to 200, have all been different. Different people, different cultures, different products, as believe it or not, even close competitors need differentiators.
The scary thing is, if Merchants all embark on risk management programs and do this in a unique way that is of course to be expected when dealing with unique companies, then any means to measure risk go out of the window…