PCI Is Meaningless, But We Still Need It - InformationWeek
IoT
IoT
Software // Information Management
Commentary
1/22/2009
11:46 AM
Connect Directly
LinkedIn
Google+
Twitter
RSS
E-Mail
50%
50%
RELATED EVENTS
[Best Practices] Managing Multiple Clouds
Jul 26, 2017
Putting all your eggs in one cloud basket is risky, because clouds are not immune to denials of se ...Read More>>

PCI Is Meaningless, But We Still Need It

The Heartland Payment Systems breach demonstrates that PCI is bunk. Unfortunately, unless something better comes along, bunk is better than nothing.

The Heartland Payment Systems breach demonstrates that PCI is bunk. Unfortunately, unless something better comes along, bunk is better than nothing.The PCI compliance program is like a Zen koan: it's a proposition that can't be understood rationally. Unlike a koan, however, pondering on PCI won't eventually lead to higher awareness. It will just drive you crazy.

Consider this statement from Visa regarding PCI assessments. Assessments "do not guarantee that those security controls remain in place after the review is complete."

In other words, a company is only compliant with PCI's security standards during the time of review. Once the assessors leave the building, all bets are off. So, PCI wants to enhance the security of payment account data, but it will only validate that enhancement within the limited time period of a review.

I believe PCI was constructed this way for two reasons. First, it absolves the assessors and the card brands of any liability should a compliant company get breached. The issue of liability is critical, because breaches attract lawsuits the way roadkill attracts crows.

At present, PCI allows Visa and the other card brands to impose their will on merchants and card processors without having to assume any of the risk that the standards they impose have weaknesses or flaws, or that merchants and processors are actually following those standards outside the limited time period of an annual review.

Second, the PCI program lets the card brands demonstrate that they are policing the industry, so as to stave off government regulations.

In effect, the card brands take a paternal approach to data security without actually taking any responsibility the way a parent should.

It's like giving a kid a set of rules, and then leaving the kid alone for a year. You check up on the kid every June. If the house is relatively clean and he's had a bath recently and is consuming something other than Fruit Loops and beer, you pat him on the head and say "Good job. See ya next year!"

Then the house burns down. Child Services shows up and says "Hey, what happened?" You say "Well, we told him not to play with matches. It was in his rule book. Not our fault."

If PCI actually reduces the risk of card data theft, that's a bonus for the card brands, but as far as I can see, it's not a major goal in the construction of the PCI program.

That's why I'm really curious to see how the Heartland mess shakes out. What if data was being stolen at the exact time Trustwave Systems, Heartland's assessor, was signing off on compliance?

One, it would be very embarrassing to Trustwave and PCI. Two, it demonstrates that even if a company is doing everything it is supposed to, breaches can still happen.

And this is my major beef with PCI. No security program or practice or technology is invulnerable. Smart, well-run organizations can still get whacked by clever or lucky criminals. We understand that stuff happens.

The main goal of a program like PCI should be to reduce risk. But as it's currently constructed and implemented, any risk reduction that occurs is a second-order effect. PCI's primary goal is to cover the butts of the card brands. That's not fair to the organizations compelled to comply with PCI, and it's not fair to consumers.

Unfortunately, we also are faced with lots and lots of organizations that either don't know how to reduce their risk or don't care to. These organizations require third-party impetus to get their heads out of the sand. PCI provides the stick necessary to get organizations moving, and offers a remedial framework upon which they can build.

So until and unless something better comes along, we're stuck with PCI.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
IT Strategies to Conquer the Cloud
Chances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.
Video
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll