A Smarter Alternative To PCI - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Information Management
Commentary
1/23/2009
09:29 AM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

A Smarter Alternative To PCI

Let's dump the credit cards' security compliance program and replace it with a framework to actually reduce the risk that card data will be stolen.

Let's dump the credit cards' security compliance program and replace it with a framework to actually reduce the risk that card data will be stolen.The credit card brands should replace PCI with a simple agreement: We, the card brands, don't want credit card information to be stolen. You, the retailers and processors, can do whatever you think is necessary to protect that information. If card data still gets stolen, we will penalize you commensurate with the scale of the breach.

Under this agreement, organizations are free to evaluate their risks against their controls, and act accordingly. They don't have to spend time and money figuring out how to make their systems conform to a set of check boxes and waste resources on controls that may not fit their operations.

Here's why I think this is a better alternative:

Industry standards can be implemented two ways: in the spirit of the standard, or by the letter of the standard.

The spirit of PCI DSS (Payment Card Industry Data Security Standard) is clear: reduce the risk that credit card data will be stolen by implementing sensible security controls on the hardware and software that touches card data.

But there's no effective way to measure compliance with the spirit of a standard. You can only measure by the letter. In the words of my colleague Mike Fratto, you can only fill in the check boxes.

The essential flaw with PCI is that a company can fill out all the check boxes, but not necessarily be any more secure. In other words, they can satisfy the letter of the standard, and completely fail to meet its spirit.

For example, a company can have a firewall, but not configure it properly and never analyze the logs. They can deploy an IDS, and then tune it so broadly that it will only fire if the Morris worm makes a comeback. They can toss a Web application firewall in front of a server farm, but never fix the underlying vulnerabilities in the Web apps.

According to the letter of the standard, such a company has met its obligations, but it hasn't made card data any safer.

So what happens? The PCI Security Council makes the standards more prescriptive, which they've done several times already. But there's only so far you can take this before you end up trying to dictate a soup-to-nuts security and operations program for organizations with dramatically different business processes, network architectures and risk profiles. It just can't work.

If your organization has great QA and development teams that crush Web vulnerabilities like the Steelers crush opposing quarterbacks, you may decide a Web application firewall isn't necessary. You can take the $100,000 you would've been forced to spend on that firewall and invest it in another full-time security engineer. Or you can take that money and install gold faucets in the executive bathroom. It's your money and your risk.

This doesn't mean we have to get rid of the PCI standards body. Organizations that have no idea where to start with a security program can use the PCI DSS standard voluntarily, as a framework on which to build out their operations. They can select the controls that make sense for their environment and their risks.

I believe this system will be more effective at enforcing the spirit of PCI than the current system. That is, I believe it will do more to protect my credit card data than the current system.

If you think you know better than the PCI council on protecting card data, do whatever the hell you want. Or follow the minimum practices recommended by the card brands. But instead of tangling with assessors and trying to game the system to be compliant, put that energy and money into actually reducing risk. And understand that if you blow it, the card brands will swoop down with their penalties.

As the Heartland breach shows, even PCI-compliant companies get breached. No security program or practice or standard is invulnerable. So lets stop pretending that PCI as it stands makes things safer. Let's flip it on its head and see what happens.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
News
IT Employment Trending Up; Data, Cybersecurity Skills in Demand
Jessica Davis, Senior Editor, Enterprise Apps,  11/11/2020
Slideshows
The Ever-Expanding List of C-Level Technology Positions
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/10/2020
Commentary
How to Approach Your Mission-Critical Big Data Strategy
Mary E. Shacklett, Mary E. Shacklett,  11/17/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Why Chatbots Are So Popular Right Now
In this IT Trend Report, you will learn more about why chatbots are gaining traction within businesses, particularly while a pandemic is impacting the world.
Slideshows
Flash Poll