Hey all,

I was curious what do the forum members consider to be THE HARDEST part of "the whole PCI thing"?

The reason I am asking is that many of the folks I spoke with are pretty evenly split over "technology is the hard part; the rest is easy" and "technology is the easy part; figuring out what to do, what policies to follow, etc is hard."


Hoping for a fun discussion!

The hardest thing about PCI DSS? That would be persuading the merchants not to ignore it.

Seriously. I am in a part of the world where compliance is not yet the norm. I'm evangelising like mad, talking to merchants, telling them, "you will *have* to do this at some point, and you might only get 30 days warning..."

And they yawn, shuffle papers, and hope it'll go away, while their web site continues to take payment card details without any SSL.

I would say it's getting people and their organizations to take it seriously. With all of the press on how the PCI standards change all of the time, people are turned off by something they feel they cannot achieve. What I try to explain is that security is an always changing field because the tactics of the attackers are always changing in response to the changes made to protect networks and data. So, the PCI standards must also change to address the latest threats. Tis the nature of the beast. If you don't like it, you need to find a different occupation or business.

I'll split my response into two parts. The most important part is getting C-level/top mgt commitment. And I did say 'commitment' meaning budget, resources, and share of mind, not 'support'...

For the hardest part I nominate staying compliant. That involves less sexy work like education, training, implementing/enforcing policies, patching, and making security a part of everyday merchant life.

WConway brings up a very good point, staying compliant.

That requires a day-to-day diligence to ensure that the security posture is maintained at all times. For most people and organizations, it gets so tedious that they start to cut corners and that is where they 'fall off the wagon' and a breach has its best chance to occur. One thing organizations should consider is the rotation of people through positions in the security area so that the diligence level can be maintained. This also promotes cross training of personnel so that they are better equipped to cover more roles. However, cross training also requires that personnel are consistently trained in each area so that they come to their new roles with a consistent level of competence and capability.

Frankly, the average person I talk to, including merchants, wonder why the card brands are so bent out of shape about card fraud when there is so little fraud occuring. One merchant that I patronize, demands picture identification whenever payment is made with a Visa or MasterCard (but not a a debit card). I asked the last time they were defrauded - the answer was "he couldn't remember". Their annual sales would be in the range of $1M to $2M - not trivial.
I then asked if he was PCI-DSS compliant and his answer was "what's that". Duugghhh!!!!

I like the fact that everyone approaches "the hardest part" from their individual perspective.

- Wconway expresses the need for executive buy-in
- alphonze reminds us that we cannot forget about it (similar to the above, but harder)
- jbhall56 takes the perspective of an auditor and reminds us to not forget about it year after year - staying vigilant
- others might say technology is the most important, from the perspective of a vendor or implementor

I take the perspective of an educator, who has talked with thousands of people a year about their struggles with PCI. I think the most important is make the standard digestable into bite sized pieces that are comprehendable, actionable, and work within their business.

That is to say, the hardest part of PCI is undersanding the process and then realizing that it is one piece of the whole. Focus enough to understand but not so much you have tunnel vision. This is the eternal balancing act I like to enstill in others.