New Frontiers...
It's been far too long since I have contributed something meaningful on my PCI blog and I felt compelled based on some work I am doing now, to finally post something with some interesting implications.
In the past 5 years, having spent a great deal of time in the identity management and compliance space the one thing that is repeatedly being talked about is the cost/benefit trade off of compliance. Historically the companies I've worked directly with are spending millions on relatively undefined compliance laws and are having a hard time figuring out how to pay for all of this imposed regulation designed to provide accuracy and transparency of financial information.
The PCI Compliance specification is the first piece of compliance directive that was designed by those in the industry vs. lawyers and politicians and it is because of this approach that I believe it makes more sense than some of the other stuff out there - HIPAA and SOX specifically. It also outlines the downside of not paying attention to the intent or implementations of controls and what they are designed to do. Way to go on clarity.
The one thing that I am starting to have discussions with companies about is how will PCI ultimately be enforced? Will it be auditors' responsibility to blow the whistle? Will it be based on the materiality of the gaps in their PCI program.
To this end I am working a lot of hours on designing PCI as a service. The biggest reason driving this is cost and where the costs hit a balance sheet. There is a fair amount of infratsructure cost tied to PCI if you're behind the times, and the operational controls and expertise on an ongoing basis are anothing thing to consider since PCI is not an event but something that ultimately must be baked into an organization's operational DNA.
What organizations are trying to figure out is how do they keep the capital infrastructure expenses low, and work with companies to provide not just auditing but ongoing compliance. Stay tuned for my thought on this in the next few weeks as I am close on a way to do this.
Mark MacAuley
pcistuff@gmail.com
In the past 5 years, having spent a great deal of time in the identity management and compliance space the one thing that is repeatedly being talked about is the cost/benefit trade off of compliance. Historically the companies I've worked directly with are spending millions on relatively undefined compliance laws and are having a hard time figuring out how to pay for all of this imposed regulation designed to provide accuracy and transparency of financial information.
The PCI Compliance specification is the first piece of compliance directive that was designed by those in the industry vs. lawyers and politicians and it is because of this approach that I believe it makes more sense than some of the other stuff out there - HIPAA and SOX specifically. It also outlines the downside of not paying attention to the intent or implementations of controls and what they are designed to do. Way to go on clarity.
The one thing that I am starting to have discussions with companies about is how will PCI ultimately be enforced? Will it be auditors' responsibility to blow the whistle? Will it be based on the materiality of the gaps in their PCI program.
To this end I am working a lot of hours on designing PCI as a service. The biggest reason driving this is cost and where the costs hit a balance sheet. There is a fair amount of infratsructure cost tied to PCI if you're behind the times, and the operational controls and expertise on an ongoing basis are anothing thing to consider since PCI is not an event but something that ultimately must be baked into an organization's operational DNA.
What organizations are trying to figure out is how do they keep the capital infrastructure expenses low, and work with companies to provide not just auditing but ongoing compliance. Stay tuned for my thought on this in the next few weeks as I am close on a way to do this.
Mark MacAuley
pcistuff@gmail.com
Labels: Compliance as a Service, PCI
posted by Mark Mac Auley at 5:58 AM
0 Comments:
Post a Comment
<< Home