Software // Information Management
Commentary
1/23/2009
09:29 AM
Connect Directly
LinkedIn
Google+
Twitter
RSS
E-Mail
50%
50%

A Smarter Alternative To PCI

Let's dump the credit cards' security compliance program and replace it with a framework to actually reduce the risk that card data will be stolen.

Let's dump the credit cards' security compliance program and replace it with a framework to actually reduce the risk that card data will be stolen.The credit card brands should replace PCI with a simple agreement: We, the card brands, don't want credit card information to be stolen. You, the retailers and processors, can do whatever you think is necessary to protect that information. If card data still gets stolen, we will penalize you commensurate with the scale of the breach.

Under this agreement, organizations are free to evaluate their risks against their controls, and act accordingly. They don't have to spend time and money figuring out how to make their systems conform to a set of check boxes and waste resources on controls that may not fit their operations.

Here's why I think this is a better alternative:

Industry standards can be implemented two ways: in the spirit of the standard, or by the letter of the standard.

The spirit of PCI DSS (Payment Card Industry Data Security Standard) is clear: reduce the risk that credit card data will be stolen by implementing sensible security controls on the hardware and software that touches card data.

But there's no effective way to measure compliance with the spirit of a standard. You can only measure by the letter. In the words of my colleague Mike Fratto, you can only fill in the check boxes.

The essential flaw with PCI is that a company can fill out all the check boxes, but not necessarily be any more secure. In other words, they can satisfy the letter of the standard, and completely fail to meet its spirit.

For example, a company can have a firewall, but not configure it properly and never analyze the logs. They can deploy an IDS, and then tune it so broadly that it will only fire if the Morris worm makes a comeback. They can toss a Web application firewall in front of a server farm, but never fix the underlying vulnerabilities in the Web apps.

According to the letter of the standard, such a company has met its obligations, but it hasn't made card data any safer.

So what happens? The PCI Security Council makes the standards more prescriptive, which they've done several times already. But there's only so far you can take this before you end up trying to dictate a soup-to-nuts security and operations program for organizations with dramatically different business processes, network architectures and risk profiles. It just can't work.

If your organization has great QA and development teams that crush Web vulnerabilities like the Steelers crush opposing quarterbacks, you may decide a Web application firewall isn't necessary. You can take the $100,000 you would've been forced to spend on that firewall and invest it in another full-time security engineer. Or you can take that money and install gold faucets in the executive bathroom. It's your money and your risk.

This doesn't mean we have to get rid of the PCI standards body. Organizations that have no idea where to start with a security program can use the PCI DSS standard voluntarily, as a framework on which to build out their operations. They can select the controls that make sense for their environment and their risks.

I believe this system will be more effective at enforcing the spirit of PCI than the current system. That is, I believe it will do more to protect my credit card data than the current system.

If you think you know better than the PCI council on protecting card data, do whatever the hell you want. Or follow the minimum practices recommended by the card brands. But instead of tangling with assessors and trying to game the system to be compliant, put that energy and money into actually reducing risk. And understand that if you blow it, the card brands will swoop down with their penalties.

As the Heartland breach shows, even PCI-compliant companies get breached. No security program or practice or standard is invulnerable. So lets stop pretending that PCI as it stands makes things safer. Let's flip it on its head and see what happens.

Comment  | 
Print  | 
More Insights
The Agile Archive
The Agile Archive
When it comes to managing data, donít look at backup and archiving systems as burdens and cost centers. A well-designed archive can enhance data protection and restores, ease search and e-discovery efforts, and save money by intelligently moving data from expensive primary storage systems.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 18, 2014
Enterprise social network success starts and ends with integration. Here's how to finally make collaboration click.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
The weekly wrap-up of the top stories from InformationWeek.com this week.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.