Does the NRF Best Practices affect the PCI DSS in any way or could it in the future?

http://www.nrf.com/modules.php?name=News&op=viewlive&sp_id=442

Thanks,

~ jds

I think that the Best Practices may be helpful, in that it proposes to share the experience of retailers meeting, achieving and managing compliance. On the other hand, I don't think that it will impact the contents of the PCI DSS.

Like the efforts put forth on 'standardizing' Sarbanes Oxley (SOX) procedures, I think the NRF 'best practices' effort is being put forth to provide merchants with a better experience with the PCI compliance process.

However, as organizations found out with SOX, the unfortunate reality is that because of all of the nuances of how organizations can comply with the PCI DSS, I'm not sure if the experience will be made significantly better.

An item that will make the PCI compliance process better is the processors, acquirers, ASVs and QSAs becoming more experienced with the PCI Security Assessment Procedures and Self Assessment Questionnaires. The problem we have now is that the whole process is still fairly new and as more experience is gathered and new interpretations are made, what is accepted this week can be verboten the next week and visa versa. As we learned with SOX, what finally made the SOX experience better was additional guidance and clarification from the PCAOB along with the additional experience of the SOX auditors.

What will also help is the PCI SSC finally publishing all of the questions we have asked regarding the PCI DSS and the card brands official interpretations in response to those questions. These were promised to be released sometime before the end of 2007, however the PCI SSC has yet to publish these clarifications and guidance notes. Once published, we'll all be working from the same set of notes. While PCIAnswers.com and similar forums provide interpretations to questions, these interpretations are not the official interpretations even though they are typically the same as or similar to those issued by the card brands. That said, these forums still provide a good way to discuss the issues and get some ideas on how to address the issues.

QSA consistency was one of the BIG messages at the Toronto Community meeting back in September. A lot of people also pointed out that the card brands need to also focus on consistency in a number of their policies and procedures. The card brands need to bring some consistency to their individual security programs so that a consistent product can be produced and delivered without the "this organization needs things this way and this organization needs it another way or at a different time." The reason given by the card brands for these inconsistencies was that any coordination would be viewed as 'anti-competitive' or 'monopolizing' by the Department of Justice. If the distribution, manufacturing, transportation and merchant industries can create the Electronic Data Interchange (EDI) standard without going to court and jail, the card brands, merchants, processors, acquirers, ASVs and QSAs can create consistent rules without legal action.

The last item that I think will help is the standardizing of QSA and ASV operating procedures. Right now, how a QSA or ASV operates is open to interpretation by the individual QSAs, ASVs and their respective clients. We all hope this will be addressed by the coming reviews that will be conducted of QSAs and ASVs in 2008.

As someone who was on the TWG and worked at one of the brands and still attends meetings with the PCI SSC, I can assure you that the anti-competitive concern permeates every aspect of the PCI SSC.

Even something as simple as ensuring that training material language between the brands is consistent requires a review of the legal implications.

The card brands also created EMV, and a number of other programs. It can be done it simply needs to be controlled.

Each card brand has their own risk tolerance and security program. There will never be a day when teh Visa CISP is the same as the MasterCard SDP or Amex DSOP.

Jeff,

Question about your comment "We all hope this will be addressed by the coming reviews that will be conducted of QSAs and ASVs in 2008."

What do you think this review will involve? Do you think PCI will be looking for each QSC to have a consistent/standard corporate stance of each requirement and how they assess their clients?

Thanks,
Jacob

The National Retail Federation announced today the release of the first installment of Best Practices for PCI developed in cooperation with PCI Knowledge Base. This release contains 25 best practices which provide guidance to companies on how leading retailers are addressing all of the requirements outlined in the PCI Data Security Standards. The Best Practices were developed based on more than 300 hours of anonymous interviews with key retail executives and other industry leaders, including contributions from BJ’s Wholesale Club, Yum! Brands, Saks, Burlington Coat Factory, IBM, Microsoft, PCMS and many others. The PCI Best Practices will be available on the NRF and PCI Knowledge Base websites to members.

Does the NRF Best Practices affect the PCI DSS in any way or could it in the future?

http://www.nrf.com/modules.php?name=News&op=viewlive&sp_id=442

Thanks,

~ jds

IMHO it will just be another one of the 100's of sources of remediation solutions and will in no way affect the PCI standards.

Because of the enormous technical differences between merchant environments, the notion of "Best Practice" will apply primarily to non-technical issues.

The NRF will most likely offer this as a 'member service' in order to drive up their membership base.