Friday, October 16, 2009

Praying to PCI Gods

Obviously, inspired by Amrit’sExorcising the PCI demons” and, in fact, morphed right from it.

“… But let’s get back to Josh’s demonological metaphor and consider some of the ways that PCI resembles ...” the Benign Deity (specific deity is up to the reader…)

The God holds promise. PCI DSS offers its adherents access to the spiritual riches — and not only those attainable through debit and credit cards—so long as they know and respect (and validate!) PCI’s 12 commandments. While delivering its spiritual riches, it also makes its adherents BETTER in the process: better security, better businesses, better awareness of the threats.

The God is honest. PCI does not promise falsities such as “to make retailers secure against hackers.” It promises to raise them out of the ignorance and “0wnage” to finally having a modicum of much-needed security technology and process.

The sorry history of breaches, blowouts, and damaged reputations attests that there is a long and sometimes difficult road ahead of us and that both faith and hard work will be needed along the way.

The great thing is that PCI is likely the best that many organizations can use to protect a transaction technology based on account numbers, magnetic stripes, fixed user identities, and passwords.

The God is an inspiration for goodness. PCI has led countless companies and organizations to improve security and reduce their operational risks – as well as instill customer confidence.

Security professionals often find themselves assisted by the PCI God when they win an argument with management which then allows them to start taking actions to block threats and keep the business running and out of the negative press. PCI both inspires them to build a solid security program and helps them as a powerful force for good security.

The God loves humanity, even its haters. As at least one commentator has pointed out, the PCI standard is a brilliant way to shift responsibility for IT security from card issuers to retailers.

It is indeed brilliant since many merchants are negligent and lose card data in massive amounts as a result of their own ignorance, but issuing banks have to “eat” all of the card replacement costs which are due to no fault of their own.

Card issuing banks did not invent and institute the technologies that have proven so vulnerable to moderately skilled hackers. When a breach occurs, merchants shrug and talk about their devotion to promulgating security measures, knowing that the issuers will be left with all of the card replacement costs and some of the fraud costs.

The God is sometimes a sacrificial lamb. There are two groups that will vehemently attack the virtues of PCI by completely lacking any insight into it. One group are organizations who refuse to implement any security measures and prefer to be negligent and breach the social contract with their customers by losing their data left and right. The other group are idiotic perfectionists who want all the data to be protected all the time, no matter what the business impact. The latter group also wants somebody (but, obviously, not them!) to pay for an overhaul of the world’s electronic payment processing systems.

Vendors that provide security solutions and those that provide PCI assessment services, also known as qualified security assessors (QSA), will always position PCI as necessary and useful for security. Indeed, PCI God guides the willing – by providing the Data Security Standard – and motivates those still in the darkness – by providing the validation regime and His army of God’s Angels aka QSAs.

At this point, readers may ask, with all of the God’s awesomeness and track record in doing good even to those who prefer to remain ignorant, why do people criticize it? Well, remember the old saying: "I see..."

UPDATE: link for the "I see..." updated; the previous link had some bad language in comments. Thanks for one of my readers for pointing it out.

Amrit, sorry for all the quoting! :-) Enjoy!

Possibly related posts:

Dr Anton Chuvakin