Recently, the PCI SSC announced an update to the Payment Card Industry Data Security Standard (PCI DSS). The new standard is known as version 1.2. Since PCI DSS version 1.1 was published in 2006, there have been some interesting modifications to the standard. In June 2008, Requirement 6.6 was made effective requiring all companies to address application layer vulnerabilities through one of several methods. Requirement 5 of PCI DSS Version 1.2 now requires that malicious software protection be provided on all operating systems. Previously Requirement 5 only applied to systems "...commonly affected by viruses." The evolution of the PCI DSS is consistent with the evolution of other regulatory standards and follows the incremental pattern I like to call
"regulatory constriction."
In the most basic sense, regulatory constriction is just what it sounds like; a process of continual restriction of Regulatory Requirements on companies in reaction to changing threats and evolving risks. There are several repeating steps in the spiral that, in theory, could continue ad infinitum.
In the first step, Initial-Event- Occurrence, some major event occurs. In the case of the payment card industry, this event is generally a data compromise. The event brings attention from those with the power to regulate, in a process borrowed from biology and known within public policy as punctuated equilibrium. The second step logically follows the first and is known as Regulatory-Reaction. In order to prevent similar events in the future, a regulatory group devises a set of standards or requirements designed to reduce the likelihood of a repeat occurrence. This next phase of the constriction comes with the implementation of the new regulation, or with increasingly rigorous, or increasingly strict, changes to an existing regulation. As the industry struggles to adopt the new standard or mandate, the regulators tout its effectiveness and its necessity. Members of the industry are sold on the notion that following this new mandate will significantly reduce the possibility of another devastating, attention-grabbing event. The challenge, particularly with respect to the payments industry, is that the rapid evolution of preventative technology is equalled by the evolution of the means to circumvent that technology.
Despite the implementation of the new standard or regulation, the industry enters into following phase of the regulatory constriction spiral - a Repeat-Event-Occurrence. The repeat event takes the entire industry, even the regulators, by surprise. The new standard was intended to prevent, or at least significantly reduce, more data compromise events. Unfortunately, the organized nature of computer crime makes the protection of data analogous to a Cold War arms race. With the best will in the world and ever increasing protective measures, companies are unable to protect against every conceivable exploit. The result is a reoccurrence of the cycle, starting with step 2, Regulatory-Reaction, to address the aftermath of the event.
The most obvious example of this type of regulation is the influx of data breach notification laws. In this scenario, the regulators have conceded that the battle to prevent the breach will not be won, so we should instead deal with the consequences of the breach. In fact, it can be argued that the data breach notification laws have had an unintended consequence. Now, consumers have been brought into the picture. Not only have they been notified that their data has been exposed, but they are demanding action to prevent any further exposures.
In response, the industry proceeds to Regulatory-Reaction by tightening regulations. The existing regulation, it is presumed, has a strong foundation. There may be some newly identified attack patterns that will allow regulators to be more prescriptive in their mandates for data protection. Unfortunately, as mentioned previously, as quickly as new regulation and new technology can be implemented, so too can ways to circumvent that technology. This inevitably leads to another event, and the cycle begins again, resulting in ever-tightening regulation. The result is a strangle-hold on businesses.
The term "constrict" can be defined as "to make narrower, especially by encircling pressure." This may accurately depict the way many companies are feeling today as a result of the rapid and seemingly endless influx of data security and consumer privacy regulations. A company's field of focus, which may previously have been on the total picture of organizational success, becomes increasingly concerned with issues of compliance and data security. The questions of customer service or production, while still important, can suffer as a result of increased focus elsewhere. Often, organizational resources are a zero sum game - to increase resources in one area, resources must be reduced in another. As a result, companies often feel an increased pressure to accomplish more with less. Additionally, as mentioned in the preceding paragraph, the field of vision becomes increasingly narrow. Every question seems to circle back to data security and privacy. Certainly these are important considerations, but in order to continually evolve, a company must pursue new products, new operational processes and procedures and new partnerships without necessarily making data security the penultimate criterion. In this way, over-regulation constricts not just resources, but opportunity as well.
The payment card industry has certainly been an example of this, though other industries are equally susceptible. The evolution of PCI DSS, PA DSS, PED requirements and various other industry regulations, bear out the increasingly constrictive nature of regulation in the industry. Couple that with actions at the state and federal level and one can easily see how businesses, both large and
small, become overwhelmed with the notion of compliance. While one of the standards might not be considered too overwhelming, the sum total of compliance with industry regulation, over 3 dozen state breach notifications, the growing trend of laws prohibiting the storage of certain types of data, FACTA, GLBA, SOX and the Federal Trace Commission's position on consumer privacy, companies can be easily forgiven for feeling they are in the security business, as opposed to the widget (or fill in the blank) business. When sales agents are answering more questions about security and compliance than they are about total cost of ownership or operational efficiencies, the regulation can be said to be too constrictive. There is nothing inherently wrong with complying with data security standards and regulations, though it does become problematic when resources are cannibalized from a company's core functions and competencies.
The initial model of regulatory constriction is somewhat one-dimensional, as it accounts for only one of the mandates that is constricting business processes. The reality of regulatory constriction, though, more closely resembles a rubberband ball. Layer upon layer of regulation and industry mandates combine to create an almost impenetrable wall of regulation. Companies become
so bound by regulation that it is difficult to separate compliance initiatives and business objectives.
Again, the payment card industry serves as a prime illustration of such a phenomenon. For many organizations, PCI DSS serves as the first layer of constriction. Many companies use PCI DSS compliance as a starting point for security projects. PCI DSS is prescriptive enough that organizations often must undertake major reconfigurations of their data security programs. Once an organization has completed that project, it is confronted with the knowledge that it must now contend with more than forty state breach notification laws. Each law is slightly different than the last, resulting in forty more rubber bands added to the ball.
Many states have now augmented their consumer privacy laws as well. In these cases, states may have a data breach notification law, a privacy law which dictates the circumstances under which consumer data may be shared. Still other laws may exist, as in Nevada, that dictate how consumer data may be transmitted.
Additional layers of constriction are also added at the federal level. Laws ranging Gramm-Leach Bliley (GLBA) to the Health Insurance Privacy and Portability Act (HIPPA) may impact the protections afforded to consumer data. Additionally, the Federal Trade Commission has taken an active role in the enforcement of security and privacy promises.
The point of this discussion is not to overwhelm the reader with the depth and breadth of regulation, but to illustrate the knowledge and expertise one must have to navigate the growing penumbra of
legislation and industry self-regulation. As the layers of constriction continue to grow, the company at the center of that constriction becomes less and less focused on core competencies and more focused on complying with an increasingly complex lattice of legislation.
The Regulatory Constriction model, while certainly not the intended model of any regulatory body is quickly becoming the de-facto method of developing regulation. It has significant drawbacks for organizations needing to comply, as well as for the organization that developed the mandate. The approach is reactionary. Controls are imposed after identification of deficiencies in the existing standard are identified through events such as data compromises. Additionally, the approach makes incremental changes to laws, creating a situation in which companies struggle to budget resources to comply. It also prolongs the compliance project. Rather than achieving compliance and then managing the maintenance of that state, organizations are forced to constantly reach for newer, more strict standards. 
|
