Japanese Merchants Find PCI Compliance Audits ChallengingQSA Yiochi Ueno on Why Companies Find It Tough to Comply
Many merchants in Japan find it difficult to pass a PCI Data Security Standard audit because the PCI guidelines are changed too frequently, argues Yiochi Ueno, who serves as a Qualified Security Assessor who audits merchants.
"The ever-changing guidelines can be a major concern for companies," Ueno says in an interview with Information Security Media Group. "No matter what kind of security standards you implement, every time you want to follow a new guideline, there are certain steps that you have to go through, which becomes an additional [financial] burden that you have to bear."
In this interview (see edited transcript below) with Information Security Media Group, Ueno discusses:
- The challenges in meeting evolving PCI DSS requirements;
- The financial burden of compliance for smaller companies;
- Recommendations on how to have a smooth audit process.
Ueno, representative director president at the International Certificate Authority of Management System, is a QSA, or Qualified Security Assessor. QSAs conduct audits of merchants for their compliance with the Payment Card Industry Data Security Standard compliance. Since 2008, Ueno has made significant contributions to PCI enlightenment activities with domestic major payment service providers in Japan.
SUPARNA GOSWAMI: Are the ever-changing guidelines for PCI DSS compliance a cause of concern for merchants in Japan who are audited for compliance?
YIOCHI UENO: The ever-changing guidelines can be a major concern for companies. No matter what kind of security standards you implement, every time you want to follow a new guideline, there are certain steps that you have to go through, which becomes an additional [financial] burden you have to bear.
The problem with changing rules is that eventually each individual may start to interpret it in his or her own way. And I have actually witnessed some situations where people just come up with their own rules sometimes. And this may result in PCI compliance getting deteriorated eventually. It requires lot of effort to keep the seriousness.
Tough for Small Firms
GOSWAMI: Do you feel ever-changing PCI DSS guidelines are particularly unfair to smaller companies, considering it is a huge financial burden for them?
UENO: Definitely. I feel it is almost impossible for small companies to be in compliance with PCI because they are tough requirements. Sometimes these small companies don't have adequate IT and technology skill sets. As a result, they have no clue about these requirements and get misguided by investing in technologies they don't have to.
GOSWAMI: As a QSA, or Qualified Security Assessor, what are some common pain points that you have been hearing from merchants when it comes to meeting PCI DSS requirements?
UENO: To satisfy the requirements, there are some initial costs that one has to bear. Most companies in Japan find this a burden. Furthermore, there are certain companies who believe that in order meet audit standards, they have to invest in expensive infrastructure or systems. They are forced by external factors like peer pressure, auditing etc.
Everyone wants to market that they are PCI compliant, but it need not always be through expensive systems. Companies often end up overinvesting in applications they don't actually need. It's a vicious circle. This unfortunately is a sad reality.
GOSWAMI: Given this background, what are your top recommendations for companies looking for a smooth PCI DSS compliance audit process?
UENO: I would say it's important to create a framework that suits your company's structure. We can't blindly apply the same security technologies as used by another company even if it happens to be in the same kind of business.
I often find companies just blindly imitating others. Every company has its own IT skill sets and management philosophy. There are 100 different approaches when it comes to IT security. We have to find the right answer that suits us.
Also, auditing should not be looked at as additional investments in technologies. If you feel a certain technology is not needed by you, then you don't have to overinvest.
I have seen companies using auditing as a marketing tool. Some companies deploy all the possible tools and market it. It's a serious process and must be used for the purpose it is meant for.