Jan 14 2008

PCI is about transfering the risk, not mitigating it

Published by at 7:21 am under PCI

Alex at RiskAnalys.is is ticked off because  he sees the Payment Card Industry Data Security Standards as “being more a bunch of legal-wrangling” than it is about mitigating the risk to the data.  And I think he hits pretty close to home; PCI is about transferring the risk of a data breach from the credit card companies to the person closest to the data: the merchant.  By giving the merchant a minimum set of standards to follow, the credit card companies divorce themselves from the risks associated with a breach and place it on the merchant who’s actually holding the data.  Securing the enterprise can be nice side-effect of becoming PCI compliance, but the real goal is to set a minimum standard that merchants have to adhere too.  The credit card companies can claim best effort when there is a breach and the liability (and negative press) fall squarely on the shoulders of the merchant who was holding the data.

Yes, I’m more than a little bit cynical.  PCI compliance is about marking off all of the boxes on a checklist, proving that your company is meeting with a set of minimum standard.  And a lot of companies hit that minimum and make no effort to keep securing their infrastructure beyond that.  But that’s not a failing of PCI, that’s a failing of the company.  Nowhere in PCI does it say you can’t take additional measures above and beyond those minimums.  There’s no reason in the PCI you can’t have a web application firewall as well as a third-party code evaluation.  But most companies won’t do that because it costs money and no one has money to spare.

One statement I heard somewhere is that it’s easier to be PCI compliant by being secure than it is to be secure by being PCI complaint.  If you’re shop is already being run in a secure manner, you may have to make some changes to meet the letter of the requirements, but they’ll probably be minimal.  If you’re just trying to meet the PCI DSS requirements though, there’s a good chance you’ll leave open a vulnerability that’s unique to your environment.  Which is why the credit card companies are pushing the risk and liability as close to the data storage as possible, every environment is unique.

Andy, IT Guy has the right idea: rather than thinking of PCI as a minimum standard, use it as a driver for change.  Build your case and sell it.  Use PCI as a fulcrum point to implement the changes that need to be made to the corporate environment.  Policy and procedures are a large part of the PCI assessment; use this to make changes to the way your company does business. Look for ways to implement the PCI requirements that will best benefit your business, rather than complaining about the holes it leaves behind.  When it’s all said and done, it’s the guy who’s there day in and day out who’s responsible for securing the systems, not the PCI assessor who comes once a year for a week.

Additional note:  I think the mailing list Andy and Alex mention is the PCI Standards list on Yahoo.  I created this group about 18 months ago and still approve new members.  It’s an open group, unmoderated, low traffic and has no official standing with the PCI Council or anyone else.  In other words, don’t post any significant details when sending questions to the list.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

3 responses so far

3 Responses to “PCI is about transfering the risk, not mitigating it”

  1. Alexon 14 Jan 2008 at 11:44 am

    Great points. And it’s worth noting that there’s nothing wrong with an ISMS or even use of PCI as a template for an ISMS per se, the issue comes in the inflexibility and perception that the letter of the law will fulfill some promise of security.

    I mean to write something on the future of auditing at some point when all this mad rush is over for me.

  2. […] a friend of mine, writes that PCI is about transferring risk and not mitigating it.  This implies that the acquiring bank somehow has the ability or responsibility to prevent a […]

  3. […] PCI DSS is about risk mitigation (or risk transference, depending on your point of view).  It list a minimum set of standards that merchants and […]

%d bloggers like this: