A Smarter Alternative To PCI

Let's dump the credit cards' security compliance program and replace it with a framework to actually reduce the risk that card data will be stolen.The credit card brands should replace PCI with a simple agreement: We, the card brands, don't want credit card information to be stolen. You, the retailers and processors, can do whatever you think is necessary to protect that information. If card data still gets stolen, we will penalize you commensurate with the scale of the breach.

Under this agreement, organizations are free to evaluate their risks against their controls, and act accordingly. They don't have to spend time and money figuring out how to make their systems conform to a set of check boxes and waste resources on controls that may not fit their operations.

Here's why I think this is a better alternative:

Industry standards can be implemented two ways: in the spirit of the standard, or by the letter of the standard.

The spirit of PCI DSS (Payment Card Industry Data Security Standard) is clear: reduce the risk that credit card data will be stolen by implementing sensible security controls on the hardware and software that touches card data.

But there's no effective way to measure compliance with the spirit of a standard. You can only measure by the letter. In the words of my colleague Mike Fratto, you can only fill in the check boxes.

The essential flaw with PCI is that a company can fill out all the check boxes, but not necessarily be any more secure. In other words, they can satisfy the letter of the standard, and completely fail to meet its spirit.

For example, a company can have a firewall, but not configure it properly and never analyze the logs. They can deploy an IDS, and then tune it so broadly that it will only fire if the Morris worm makes a comeback. They can toss a Web application firewall in front of a server farm, but never fix the underlying vulnerabilities in the Web apps.

According to the letter of the standard, such a company has met its obligations, but it hasn't made card data any safer.

So what happens? The PCI Security Council makes the standards more prescriptive, which they've done several times already. But there's only so far you can take this before you end up trying to dictate a soup-to-nuts security and operations program for organizations with dramatically different business processes, network architectures and risk profiles. It just can't work.

If your organization has great QA and development teams that crush Web vulnerabilities like the Steelers crush opposing quarterbacks, you may decide a Web application firewall isn't necessary. You can take the $100,000 you would've been forced to spend on that firewall and invest it in another full-time security engineer. Or you can take that money and install gold faucets in the executive bathroom. It's your money and your risk.

This doesn't mean we have to get rid of the PCI standards body. Organizations that have no idea where to start with a security program can use the PCI DSS standard voluntarily, as a framework on which to build out their operations. They can select the controls that make sense for their environment and their risks.

I believe this system will be more effective at enforcing the spirit of PCI than the current system. That is, I believe it will do more to protect my credit card data than the current system.

If you think you know better than the PCI council on protecting card data, do whatever the hell you want. Or follow the minimum practices recommended by the card brands. But instead of tangling with assessors and trying to game the system to be compliant, put that energy and money into actually reducing risk. And understand that if you blow it, the card brands will swoop down with their penalties.

As the Heartland breach shows, even PCI-compliant companies get breached. No security program or practice or standard is invulnerable. So lets stop pretending that PCI as it stands makes things safer. Let's flip it on its head and see what happens.