Thursday, April 09, 2009

Five Reasons to Dislike PCI DSS – And Why They Are WRONG!

These will become a core of a longer paper to be released soon. For now, enjoy these:

  1. PCI DSS is a distraction from “real” risk management and security: WRONG! Your “real”, risk-focused, advanced  security must start somewhere – why not start from the basics, which happen to be mentioned in PCI DSS documents. Surely you wouldn’t want DLP (not in PCI) before you have a firewall (in PCI DSS) or a security policy (in PCI too)?
  2. PCI is just checklist security: WRONG! “Checklist security” and “Compliance First!” approach is indeed  ugly and harmful, but prescriptive security guidance  (like PCI) is NOT the same as “checklist security;” it just contains more useful details on means, not just goals. On the other hand, if you are hell-bent on following the letter (1.1 … check; 1.2 … check, etc) and not the spirit (=protect card holder data), you can. Just don’t fault PCI for it – fault yourself!
  3. We “got compliant” and now we are breached – it’s PCI’s fault: WRONG! First, you probably were not compliant during the breach since you “forgot” about ongoing compliance (and only focused on point-in-time validation). Second, if you are breached, it is attacker’s and [maybe, if you were negligent] your fault, but definitely not PCI’s.
  4. PCI is “security theater,” appearance of security with no real risk reduction: WRONG! How is having a security policy, incident response plan, firewall, encryption, log management, etc appearance of security? One can be “faking it”, but then again: how is it PCI DSS fault? It is the faker’s fault! “Faking security” is no better (in fact, worse!) than “ignoring security” altogether, but the mandate didn’t cause it.
  5. PCI is just not enough: RIGHT! So, again, why do you dislike it for this? Did you really expect some document from somebody to guarantee your security? Reeeally? So, yes, PCI DSS is not enough, but it is a useful starting point for many, many organizations who would otherwise not start AT ALL and will have your credit card data neatly stored in a text file on their MS IIS 4.0 web server…

Are there more reasons? Likely, yes. Feel free to add them – and we can debate.

Possibly related posts:

1 comment:

Walt Conway said...

Number 6: PCI costs too much. Wrong: the cost of non-compliance and a breach is even higher.

Number 7: The federal government should step in and set a security standard. Oh so very Wrong: states are already chipping away at it, but if there is national legislation you will will soon be wishing for the return of the 'good old days' with PCI.

Dr Anton Chuvakin