PCI Shrugged: Debunking Criticisms of PCI DSS
PCI DSS is imperfect, but Ben Rothke and Anton Chuvakin say the standard is in security's best interest. Here they refute common complaints and criticisms of PCI DSS.
By Ben Rothke, CISSP, PCI QSA & Anton Chuvakin, PhD
April 16, 2009 — CSO —
Ayn Rand's 1,100-page treatise Atlas Shrugged deals with the concept of morality of rational self-interest. When dealing with information security professionals, there is likely no greater example of self-interest than the promotion of the PCI Data Security Standard (DSS).
PCI is a pragmatic standard which requires security-comatose organizations to wake up to their responsibilities. And while PCI is only required for companies dealing with credit and debit card holder data, its relevance is germane for any organization.
The writers of this article are not suggesting PCI DSS is flawless. Yet even with its limitations, is it better than the status quo of self-enforcement, or sadly, security negligence. Information security professionals who should know better are attacking PCI for baseless reasons. The standard is one of their most effective weapons for getting attention from senior management.
Let's now take a look at some of the issues/complaints leveled against PCI and see how they really stack up.
Complaint: PCI is a Distracter from Security and Risk Management?
A common complaint among those who have to deal with PCI on a regular basis is that being compliant with the payment card standard takes away from the time, money and effort that could be better spent on core information security issues. But we beg to disagree; everything about PCI is core security. One cannot start dealing with advanced security and technology topics, such as thwarting loss of intellectual property or insider threat protection, before the PCI-prescribed basics such as network control, anti-malware, system logging and more, are in place.
Previous data security efforts, such as Sarbanes-Oxley, have encouraged a check-box approach to compliance. However, those organization organizations that have developed a formal information security program will find that PCI compliance is useful for security and not an onerous distraction. The 6 PCI DSS control areas and 12 objectives all correspond to good security practices. Therefore, if an organization has a mature security program, PCI DSS will be easy. If they don't, PCI DSS presents a perfectly logical place to start.
While an organization can attempt to pursue PCI DSS compliance for compliance sake without regard to security, such irresponsible behavior can hardly be blamed on PCI DSS standard itself. Thus, most security practioners who feel that PCI DSS detracts from security probably do not understand PCI or the fundamentals of information security.
Complaint: Data Breaches Prove PCI DSS Useless?
The Heartland breach has been used extensively by the media to show that PCI is ineffective. While the dust has yet to clear from Heartland, let's assume for a moment that this large payment processor was 100% PCI compliant. True, we do know that Heartland was most likely not complaint at the time of the breach, but bear with us. One should not assume that compliance necessarily means that breaches can't occur. A simpler explanation applies here: they were breached despite being PCI DSS compliant.