Friday, 30 October 2009

PCI DSS in Russia

A lot has been said about the Payment Card Industry Data Security Standard (PCI DSS) established in 2004. Actually, let me correct myself: a lot has been said about what is going on with regards to PCI DSS here in the US. But have you ever wondered what is going on with the standard in other parts of the world? Well, I have. In fact, I do travel to Russia once in a while, and I do use my credit cards there since rate of currency exchange is best when you use a credit card. Plus credit cards are convenient since you don't have to carry cash around and worry about thieves. But perhaps instead of worrying about physical thieves, I should really worry about virtual ones?

To answer my questions, I did some "yandexing" (google equivalent) and found some interesting information. The good news is that PCI DSS assessment is now a requirement, even though before September 2006 it was not. Unfortunately, according to this article written by Anton Karpov, a Qualified Security Assessor (QSA) working for Digital Security, PCI compliance is still optional. You will be fined if you don't get an assessment, but nothing will happen if you don't pass it. This state of affairs leads to many companies getting an assessment just so that they don't get charged any fines, and going on with their lives no matter what the outcome of the assessment is. Moreover, I found several articles and blog posts (for example, this one) cautioning the companies to be careful when choosing their auditors because some of them incorrectly interpret the standard and others give a passing mark even when the requirements of the standard are not met. The amusing thing is that the blog post seems to be written by Anton Karpov's boss, but when I looked the auditor up via QSA employee lookup, it turned out that Anton's QSA certificate has expired. I hope he gets it renewed before doing any more audits.

PCI DSS is not the only accepted standard. ISO 27001 and ISO 17799 and their Russian equivalents ГОСТ 17799 and ГОСТ 27001, as well as СТО БР ИББС-1.0 are also accepted. However, even assessments of compliance with either of these are not mandatory -- they are only recommended. So, looks like PCI DSS is still a little bit ahead of the others. Sadly, all of the above seems to imply that it's gonna take Russia a little while before it catches up with the US in terms of Software Security Assurance (SSA). But who knows, perhaps I'm wrong.

Technorati Tags:

Posted by yoneil at 12:08 PM in Fortify
Responses (0)