In Depth
PCI Shrugged: Debunking Criticisms of PCI DSS
PCI DSS is imperfect, but Ben Rothke and Anton Chuvakin say the standard is in security's best interest. Here they refute common complaints and criticisms of PCI DSS.
By Ben Rothke, CISSP, PCI QSA & Anton Chuvakin, PhD
Organizations that are serious about security realize that checklist-based security is not the same as risk-based security. Far too many organizations have an audit-based mentality with the frame of mind of evading the auditor, as opposed to a risk-based mentality of protecting the cardholder data.
PCI DSS is a good start of a security program, not its end. Checklists do have their place in security, but a security program cannot be reduced to a checklist; attempts to pretend that an organization can 'follow the checklist to become secure' are guaranteed to fail. As Bruce Schneier has noted: security is a process, not a product.
What the Future Holds
At the Visa Global Security Summit in March, Ellen Richey, Visa Chief Enterprise Risk Officer, stated that despite recent data breaches at two payment processors, PCI DSS remains an effective security tool when implemented properly. Recent events revealed that breached organizations seemed to have disregarded PCI's common sense security guidance and were later removed from the list of compliant organizations. Thus, every breach further proves the need for a comprehensive payment security standard.
Not only is PCI not dead, it is alive and well and maturing. In its current version 1.2, it is still evolving, but it is clearly the best we have. The authors challenge anyone to find a better standard or regulation. PCI has helped countless organizations to jumpstart their security programs from scratch. It helped them move from security ignorance to first addressing the basics and then to their own security nirvana.
Most of those who make baseless criticisms of PCI simply lack an understanding of the fundamentals of information security and risk; they also lack an understanding that many organizations need to learn to "stumble" with security before they can walk, much less run.
Conclusions
Most attacks against PCI boil down to we don't like it or PCI is useless, rather than a direct critique of the standard, or ways in which in can be improved.
PCI has taken the masses of security illiterate companies and forced many of them into some semblance of security. It has showed given them 12 specific requirements in which to start their security program. The biggest positive of PCI which fully justifies its continued existence is that it shoved security in the faces of people who managed to live through the wormy 90's and the lossy 00s without paying much attention to information security, under the guise of "it can't happen to us".
pci criticisms
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Sustaining SOX Compliance: Best Practices to Mitigate Risk, Automate Compliance, and Reduce Costs
- Beyond PCI Checklists: Securing Cardholder Data with Enhanced File Integrity Monitoring
- Credit Issuers: Stop Application Fraud at the Source with Device Reputation
- CSO's Guide to Security and Compliance
- Understanding Data Location is Imperative for Data Loss Prevention
- FISMA and FDCC Compliance: Millennium Challenge Corporation
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
