The Mischief in PCI DSS 4.0
A good word for a bad thing.
The Customized Approach in PCI DSS 4.0 uses the term mischief to refer to the bad thing that a requirement is designed to prevent. The use of the word mischief has its origins in law which, just like a technical standard, has to interpret written words in the context of real situations.
When a standards body uses a new term, it does so with care. I’m sure it has been a great relief for the SSC that the term mischief has seemingly met with approval from the industry, but what’s the probable origin of the use of mischief in this context?
1. Where Mischief is used in DSS 4.0
Mischief is the word that the PCI SSC decided to use to refer to an “occurrence or event that negatively affects the security posture of the entity” if a PCI DSS requirement is not in place.1
The mischief associated with a requirement has to be understood and documented as part of the targeted risk analysis that’s required if an entity uses the Customized Approach.
In determining the suitability of its own controls to meet the security objective, an entity must carry out a targeted risk assessment which requires them to:
Describe the mischief that the requirement was designed to prevent.
Detail how their proposed solution will prevent the mischief.
Describe the reasons the mischief may still occur after the application of the selected controls.
Assess whether the use of the entity’s own controls rather than the controls demanded by the Defined Approach Requirement would increase or decrease the likelihood of the mischief occurring.
2. Mischief in English Law
Law is faced with the problem of taking the written words of a piece of legislation and applying it to a real situation. This is not dissimilar to an assessor taking the words of the Standard and applying them to an entity’s environment.
English law has developed some approaches to this task of statutory interpretation (i.e. the interpretation of a statute).
2.1 The Literal Approach
Taking the literal approach means that the words of a statute are taken as they are read. As an example consider the unfortunate case where someone managed to set fire to the inside of their car when it was parked in a car park.2 A passenger in the car claimed on the driver’s third-party insurance in respect of the injuries they suffered. However, the law under which the insurance was issued said that the policy had to cover “death of or bodily injury to any person or damage to property caused by, or arising out of, the use of a vehicle on a road in Great Britain.”
The court decided that as the law said “on a road” and that because a car park is not a road, the insurance company was not liable. The literal approach says that when interpreting the law, words must be given their plain, ordinary meaning.
2.2 The Golden-rule Approach
Now, you may think that it was unfair that the passenger in the car was denied compensation for their injuries. After all, a car park is pretty similar to a road, but that’s the literal approach. And taking a literal approach can have even more unfair consequences.
Take the sad case of Mrs Mary Ann Sigsworth,3 who died a widow, with just one surviving son, Thomas. She didn’t have a will and so, under the law of intestacy, Thomas would inherit all of his mother’s estate. However, the reason Mrs Sigsworth passed away was because Thomas murdered her.
Taking the literal approach, the law says that Thomas should inherit. But of course that would be absurd and set a bad precedent that perhaps would have the effect of increasing matricide.
So the Golden-rule approach extends the Literal approach, and says that words must be given their plain, ordinary meaning unless that produces an absurd outcome.
2.3 The Mischief Approach
Mr Shane Corkery was arrested when drunk in charge of a bicycle. At the time, the law provided that being “drunk while in charge on any highway or other public place of any carriage, horse, cattle, or steam engine” was an offence.
Mr Corkery argued that as he wasn’t in charge of a carriage, horse, cattle, or steam engine - no offence had been committed.4
The judge, rather than taking the Literal or Golden-rule approach, asked what the law was before the relevant statute was enacted by Parliament, and therefore what mischief the new law intended to remedy/prevent. The mischief in this case was someone using a form of transport on a road when drunk, which could lead to an accident.
The judge decided that since riding a bicycle when drunk was the same sort of mischief as being in charge of a carriage, horse, cattle, or steam engine when drunk, Mr Corkery was guilty.
The concept of mischief meaning the bad thing that a law (or requirement) is designed to prevent comes from one of the approaches to statutory interpretation in English law.
Appendix E2 in PCI DSS 4.0
Cutter v Eagle Star Insurance Company [1996] EWCA Civ 1029
Re Sigsworth (1935)
Corkery v Carpenter (1951)