In Depth
PCI Shrugged: Debunking Criticisms of PCI DSS
PCI DSS is imperfect, but Ben Rothke and Anton Chuvakin say the standard is in security's best interest. Here they refute common complaints and criticisms of PCI DSS.
By Ben Rothke, CISSP, PCI QSA & Anton Chuvakin, PhD
It is surprising to the authors that security professionals will hold the view that following an external guidance document can guarantee 100% security to any organization. A person can walk out of a doctor's physical in seemingly perfect health and drop dead before their reach their car. That does not necessarily mean that the doctor was incompetent or that medicine is a faulty science! In much the same way as a doctor cannot guarantee the health of the patient, neither PCI nor any other regulatory guidance can guarantee that there will not be breaches. 100% PCI compliance does not guarantee an entity is 100% secure or even as secure as they need to be. Complexity is the worst enemy of security and today's payment systems and merchant networks are far too complex to be made bullet-proof. If Heartland proves anything about PCI, it is that basic PCI DSS security is not enough.
Complaint: PCI is Just Security Theater?
Security Theater is a term popularized by BT CSO Bruce Schneier. Schneier used it originally to describe what he see as the ridiculous TSA security measures in use at US airports. This security theater gives the semblance of security, but with no real security benefits nor risk reduction.
Can PCI be used as security theater? Certainly it can. An organization can quickly follow the letter and not the spirit of the standard just to get the auditors off their backs. They can procure some security appliances and other hardware, find a QSA (Qualified Security Assessor) who is not aggressive enough and pass their assessment.
However, if done correctly and seen as a security starting point rather than a compliance end point, PCI is the antitheses of security theatre. PCI compliance is simply taking 12 core areas of security and implementing them. PCI is not the alpha-omega epitome of security; it is meant to be used as a lower limit of security, not the ultimate goal.
Complaint: PCI a Dumb Checklist?
Noone likes peas. As children, Mom made us eat them. Maternal verification of pea consumption was made by simply looking at the plate; an empty plate meant a belly full of peas. Of course, Mom could have verified consumption by checking the pea-covered floor, or looking at the dog's green teeth.
For many, PCI compliance means emptying their plates via yet another compliance checklist. They often do the bare minimum in the hope that they can gain compliance and make the QSA go away. At times they may even lie to their QSA or on the Self Assessment Questionnaire (SAQ).
pci criticisms
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Sustaining SOX Compliance: Best Practices to Mitigate Risk, Automate Compliance, and Reduce Costs
- Beyond PCI Checklists: Securing Cardholder Data with Enhanced File Integrity Monitoring
- Credit Issuers: Stop Application Fraud at the Source with Device Reputation
- CSO's Guide to Security and Compliance
- Understanding Data Location is Imperative for Data Loss Prevention
- FISMA and FDCC Compliance: Millennium Challenge Corporation
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
