The Payment Card Industry Data Security Standard (PCI DSS) looks as though it is a single, international data security standard and, on the face of it, thats exactly what it is. The truth, however, is in the detail of implementation and surveillance: its applied and enforced very slightly differently by each of the members of PCI consortium and this inconsistency creates an unnecessarily large amount of confusion.

This inconsistency of application is one of three significant weaknesses in PCI DSS as a standard for information security. The others are the framework for monitoring compliance and the inconsistency with standard risk-based information security management systems. Let me deal with these issues individually.

1. Inconsistency in application: as guidance as to which organizations (and scoping compliance within organizations requires care and experience) are actually within the scope of PCI DSS is inadequate, we encounter many organizations often smaller ones, with perhaps only a few thousand payment card transactions per year that have completely outsourced their e-commerce payment processing being told that they need to comply with PCI DSS irrespective of the fact that they receive and process zero payment card information themselves.

2. Compliance monitoring: the PCI council created a body of QSAs to audit compliance with PCI DSS and to report to acquiring banks on the extent to which the organizations they audit are compliant with PCI DSS. As QSA organisations are able to benefit directly from consultancy work arising from their audits, there may sometimes be a tendency amongst such organisations to identify compliance requirements more onerous than appropriate for the organisations they are auditing and this possibility is made easier by the issue of inadequate scoping guidance referred to above, and the non-optional nature of PCI DSS controls, discussed below. Compared with an international management system certification scheme, such as that for ISO/IEC 27001, in which external, third party auditors are barred from providing consultancy services and have to demonstrate their neutrality, the PCI DSS scheme has loopholes.

3. Information security management systems usually start with a risk assessment: the management identify risks (with identifiable impacts and likelihoods) and select information security controls that will be proportionate to the value they have at risk, and to their risk appetite. While PCI DSS does mention that organisations should do a risk assessment, it doesnt allow management any discretion as to which controls should be applied. Of course, the view of the payment card companies is that it is their credibility (and their balance sheets) at risk and, therefore, that they are fully entitled to require the implementation of specific controls by merchants. It is this aspect of PCI DSS that gives it the characteristic of a compliance framework, as distinct from an information security management system and which makes implementation particularly challenging for smaller organisations.

These three aspects of PCI DSS compliance mean the organisations increasingly need some form of unbiased, third party PCI DSS consultancy service that will give them practical advice on how to minimise costs of compliance while at the same time minimising risks of exposure in other words, helping them integrate their PCI DSS compliance activity into the rest of their information security management system (which, hopefully, will be certificated as being conforming to ISO/IEC 27001).