These will become a core of a longer paper to be released soon. For now, enjoy these:
- PCI DSS is a distraction from “real” risk management and security: WRONG! Your “real”, risk-focused, advanced security must start somewhere – why not start from the basics, which happen to be mentioned in PCI DSS documents. Surely you wouldn’t want DLP (not in PCI) before you have a firewall (in PCI DSS) or a security policy (in PCI too)?
- PCI is just checklist security: WRONG! “Checklist security” and “Compliance First!” approach is indeed ugly and harmful, but prescriptive security guidance (like PCI) is NOT the same as “checklist security;” it just contains more useful details on means, not just goals. On the other hand, if you are hell-bent on following the letter (1.1 … check; 1.2 … check, etc) and not the spirit (=protect card holder data), you can. Just don’t fault PCI for it – fault yourself!
- We “got compliant” and now we are breached – it’s PCI’s fault: WRONG! First, you probably were not compliant during the breach since you “forgot” about ongoing compliance (and only focused on point-in-time validation). Second, if you are breached, it is attacker’s and [maybe, if you were negligent] your fault, but definitely not PCI’s.
- PCI is “security theater,” appearance of security with no real risk reduction: WRONG! How is having a security policy, incident response plan, firewall, encryption, log management, etc appearance of security? One can be “faking it”, but then again: how is it PCI DSS fault? It is the faker’s fault! “Faking security” is no better (in fact, worse!) than “ignoring security” altogether, but the mandate didn’t cause it.
- PCI is just not enough: RIGHT! So, again, why do you dislike it for this? Did you really expect some document from somebody to guarantee your security? Reeeally? So, yes, PCI DSS is not enough, but it is a useful starting point for many, many organizations who would otherwise not start AT ALL and will have your credit card data neatly stored in a text file on their MS IIS 4.0 web server…
Are there more reasons? Likely, yes. Feel free to add them – and we can debate.
Possibly related posts: