Opinion
PCI Debate Ignores Planned Improvement Cycle
Ben Rothke says PCI bashers should look at the standard's pragmatic plan for ongoing improvement
By Ben Rothke, CISSP PCI QSA
The genius of the PCI DSS (and when PCI is compared to regulations such as SoX and GLBA, genius is indeed an appropriate term) is that it has sensible concepts such as an open formal feedback process, trend analysis, impact evaluation, guidance and much more built into the very fabric of the standard. PCI takes a long-term, pragmatic and holistic approach to the problem it is attempting to solve. Compare that with SoX, which Congress ramrodded into law as a kneejerk reaction to the Enron/MCI debacles.
As to the question is PCI a short-term fix? The answer is of course it isn't. It's absurd to think that PCI in two years can magically obviate decades of security apathy. The bona fide plan for the PCI DSS as detailed in the PCI Lifecycle Process is a multi-year effort.
Take something as obvious as keeping illegal drugs out of prisons. If we were to create additional laws against that today, how long would it realistically take prison wardens to rid their penitentiaries of these illegal substances? Can we expect computer security professionals to deal with management and other issues and try to fix insecure merchant systems, and to do that faster than prison guards with vicious dogs and high-caliber rifles?
The truth is, we can't answer the question is PCI working or does it work, without defining what we mean by working. It is imperative to remember that PCI is a long-term strategic solution, not a short-term security fix. So has security improved? Are more organizations realizing their responsibility to protect card holder data? Are consumers furious that identity theft is affecting them directly? To answer all 3 question, as they say in Texas, heck yeah.
Good security takes time. The PCI Security Standards Council understands that. Security professionals understand that. Shouldn't everyone else? ##
Ben Rothke CISSP, PCI QSA (ben.rothke@bt.com) is a Security Consultant with BT Professional Services and the author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill Professional Education)
pci improvement
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Sustaining SOX Compliance: Best Practices to Mitigate Risk, Automate Compliance, and Reduce Costs
- Beyond PCI Checklists: Securing Cardholder Data with Enhanced File Integrity Monitoring
- Credit Issuers: Stop Application Fraud at the Source with Device Reputation
- CSO's Guide to Security and Compliance
- Understanding Data Location is Imperative for Data Loss Prevention
- FISMA and FDCC Compliance: Millennium Challenge Corporation
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
