PCI DSS, Come Forward and Be Judged

It wasn’t supposed to be that big a deal. I was at an event in Boston put on by the 451 Group, and wasn’t even sure I’d walk out of there with something to write about. Then Josh Corman, one of the firm’s new analysts, got on stage and started picking apart the PCI Data Security Standard (PCI DSS) — or, more specifically, the approach companies are taking in their compliance efforts.

Within five minutes of Corman finishing his talk, I had banged out this article and posted it:

Analyst: PCI Security a Devil, ‘Like No Child Left Behind’

Summary: Joshua Corman, research director for enterprise security at The 451 Group, says the private sector’s obsession with PCI DSS compliance is blinding it to larger threats.

The story began:

By obsessing about PCI security compliance and spending money on overly complex and underperforming defenses, companies are ignoring risk management and making themselves a target of state-sponsored cyber villains.That was one of the main messages delivered by Joshua Corman, research director for enterprise security at The 451 Group, during that firm’s 4th Annual Client Performance Conference Wednesday morning. “Organizations have made PCI DSS and compliance in general the basis of their information security policies,” he said. “They’re basing security on sloppy logic from Visa and MasterCard and in the process are ignoring some very bad state-sponsored threats. As a community, we have not evolved at all.” He compared PCI DSS to No Child Left Behind, the education reform law championed by former President George W. Bush. The law has been criticized by some who believe it has stifled innovation in education and focused too much on standardized testing.

Reaction was swift. Within a half hour, my Twitter stream was blazing with comments, most of them unhappy about what Corman had to say.

Two of my Twitter associates came forward and offered to team up for a rebuttal column — Ben Rothke, a security consultant with BT Professional Services and author of Computer Security: 20 Things Every Employee Should Know, and Dr. Anton Chuvakin, a recognized security expert in the field of log management and PCI DSS compliance.

PCI DSS: No Angel, But Certainly Not the Devil

Security luminaries Anton Chuvakin and Ben Rothke explain why 451 Group analyst Josh Corman is off base when he compares PCI security to a devil and “No Child Left Behind.”

Among other things, they wrote:

We’d like to remind PCI critics that as they whine about PCI as too little, too late, organizations that handle your sensitive data are conducting gross negligence in regards to security. Please get out of your perfectionist ivory tower and see the real world; a world full of security laggards — not leaders that you are accustomed to! When Corman writes that “compliance with such laws and industry standards as Sarbanes-Oxley and PCI drives companies to spend far more on security than they might otherwise,” he misses the point entirely. PCI pushes companies to do far more for security than their old negligent approach. Many companies start there and then eventually “graduate” to having a solid security program. Once they get there, any new standard or regulation will be easier to retrofit. Please don’t confuse companies clueless about security with PCI DSS guidance. PCI was never meant to “cure stupid.” Perhaps the most egregious comparison Corman makes is to lump PCI with SOX. The two have truly nothing in common. SOX wasn’t the best course of action — rather, it was an imprudent regulation created by a Congress that did not know what the problem was or how it happened. One is hard pressed to find anyone who would say that the cost of SOX compliance was equal to its benefit.

Martin Mckeay, a QSA and the man behind the Network Security Blog and Podcast, fired off a tweet suggesting there ought to be a podcast debate on this, with me as moderator. After all, my article had started all the ruckus.

Corman, Chuvakin and Rothke were quick to accept, as were IT security pros Jack Daniel, Ward Spangenberg, and Michael Dahn.

Then we quickly ran into our first problem: Getting eight people on the phone at the same time when all of us are frequently traveling and live in different time zones.

An e-mail trail quickly began in an effort to sort it all out. Hundreds of e-mails in, we were still wrestling over logistics.

We finally got on the phone in December. Most of us, anyway. Scores of follow-up e-mails, tweets and IM messages followed. We tentatively agreed to a Jan. 6 face-off.

On Jan. 4, it started to appear doubtful that the debate would proceed on time. Someone asked to have the recording moved to an hour or so earlier because of a pesky meeting he got roped into. The West Coasters began to worry that too early a start time for them would result in a podcast of aimless blubbering.

I pressed on, encouraged by Jack, who is always ready with some words of wisdom.

“I think it will be good. And even if it turns into a train wreck, people like to see carnage,” he assured me.

And so it happened.

We had a lively, mostly civil and always enlightening discussion about the good and bad of PCI DSS. And I think listeners will learn something from it all.

The first half hour of the debate will appear early next week on my podcast show. The second half will appear on Martin’s show.

I’m also going to transcribe the whole thing for readers who don’t prefer the written word to audio. That will take a little longer to appear.

While you wait for the content to appear, may I suggest you bone up on the subject and check out some of our previous coverage on PCI DSS? Some of my favorites are below:

• Heartland CEO on Data Breach: QSAs Let Us Down
• A Tale of Two PCI Security Audits
• PCI’s Post-Audit Pain Points
• PCI Council to Merchants: Kiss Your WEP Goodbye
• PCI, QSAs, Hackers, and Slackers: Will the Real Enemy Please Stand Up?
• Unmasking DLP: The Data Security Survival Guide
• End-to-End Encryption: The PCI Security Holy Grail