How PCI Leaders are Different from Other Merchants BY DAVE TAYLOR Guest Columnist David Taylor is Research Director of the PCI Alliance, Founder of the PCI Knowledge Base, and a former E-Commerce and Security analyst with Gartner

Over the last several months we've conducted over 100 hours of anonymous interviews with retailers, hotels, banks, card processors, PCI assessors, service providers and security technologists. We are about to issue the first report based on those interviews, the PCI Leadership Report. The whole point of the report is to provide an in-depth examination of what leading merchants are doing to go beyond the "minimalist" approach to the PCI "checklist" and to prepare their enterprises to protect all types of confidential data against any type of security breach. What follows are some of the "highlights" of the report, without all the statistics and quotations that would, frankly, take up too much space. If you want the whole "shootin' match", just register at the PCI Knowledge Base. I sense you're getting excited already!

1. PCI Leaders leverage controls data to predict breaches - Our study of PCI Leadership found that many merchants rushed to get PCI compliant quickly, implementing controls as needed. Leaders focused more on Security Information and Event Management (SIEM) - using controls data to predict or stop problems before they became serious.
2. PCI Leaders have tools or services to monitor their environment - Leaders know that security and compliance must be monitored continuously, and they have implemented automated Log Monitoring and alerting tools (or have engaged services) to sort through the vast reams of log data. Other merchants lack the time or staff to review the logs.
3. PCI Leaders share ownership of PCI - The most successful leaders do not try to run PCI all by themselves. They have "deputized" internal audit, HR, data owners and store managers and given them specific things to do, from employ education to access monitoring, to policy enforcement. Leaders also tend to be more successful at getting business units and other departments to share the cost of PCI compliance with IT.
4. PCI Leaders focus investment on tracking individual actions - The leading firms have implemented Identity and Access Management and Data Loss Prevention tools to automate the provisioning of access and monitor privileged user access to confidential data, as well as role-based access, so that when roles change, so do permissions. The actual types of tools implemented varies widely, as do the costs.
5. PCI Leaders use risk management tools - Because PCI requires a 100% score to pass, only leading firms have gone beyond this to manage their security based on a thorough risk analysis. Beyond a basic "stoplight" rating spreadsheet, a risk analysis requires that companies take specific actions to address identified risks, based on priority.
6. PCI Leaders protect other data besides card numbers - One of the clearest definitions of going "beyond PCI" is the organization that applies the PCI security controls to social security numbers, account numbers, and other confidential data. The key is defining and enforcing a "data classification" scheme. We addressed this in an earlier column, and still recommend a near term focus on adding SSN protection to credit card data protection.
7. PCI Leaders monitor their service providers and partners - PCI only requires a letter of agreement that a service provider will adhere to PCI. Leading firms are doing real due diligence of their service providers and partners. Some are sending out questionnaires, others are sending auditors to review the security of their service providers.
8. PCI Leaders use fewer compensating controls - Very few enterprises require no compensating controls to achieve PCI compliance. But leaders typically have 5 or fewer CCs, while the typical enterprise requires 10 or so CCs. Areas where the compensating controls are applied could be the subject of a whole series of columns, or a whole separate report from the PCI Knowledge Base (see below).

I'll end with a question, just to see if you read this far: We're trying to decide if our next report should focus on (1) an in-depth examination of how compensating controls are created and where they are used, or (2) a study of merchant readiness to comply with PCI DSS 6.6, which comes due the end of June, or (3) a review of the various technologies, vendors and products, and the positive or negative recommendations of the interviewees. If you have an opinion, send me an email at This e-mail address is being protected from spambots. You need JavaScript enabled to view it or visit www.KnowPCI.com and click "Register" to join the PCI Knowledge Base.