Jan 14 2008
Alex at RiskAnalys.is is ticked off because he sees the Payment Card Industry Data Security Standards as “being more a bunch of legal-wrangling” than it is about mitigating the risk to the data. And I think he hits pretty close to home; PCI is about transferring the risk of a data breach from the credit card companies to the person closest to the data: the merchant. By giving the merchant a minimum set of standards to follow, the credit card companies divorce themselves from the risks associated with a breach and place it on the merchant who’s actually holding the data. Securing the enterprise can be nice side-effect of becoming PCI compliance, but the real goal is to set a minimum standard that merchants have to adhere too. The credit card companies can claim best effort when there is a breach and the liability (and negative press) fall squarely on the shoulders of the merchant who was holding the data.
Yes, I’m more than a little bit cynical. PCI compliance is about marking off all of the boxes on a checklist, proving that your company is meeting with a set of minimum standard. And a lot of companies hit that minimum and make no effort to keep securing their infrastructure beyond that. But that’s not a failing of PCI, that’s a failing of the company. Nowhere in PCI does it say you can’t take additional measures above and beyond those minimums. There’s no reason in the PCI you can’t have a web application firewall as well as a third-party code evaluation. But most companies won’t do that because it costs money and no one has money to spare.
One statement I heard somewhere is that it’s easier to be PCI compliant by being secure than it is to be secure by being PCI complaint. If you’re shop is already being run in a secure manner, you may have to make some changes to meet the letter of the requirements, but they’ll probably be minimal. If you’re just trying to meet the PCI DSS requirements though, there’s a good chance you’ll leave open a vulnerability that’s unique to your environment. Which is why the credit card companies are pushing the risk and liability as close to the data storage as possible, every environment is unique.
Andy, IT Guy has the right idea: rather than thinking of PCI as a minimum standard, use it as a driver for change. Build your case and sell it. Use PCI as a fulcrum point to implement the changes that need to be made to the corporate environment. Policy and procedures are a large part of the PCI assessment; use this to make changes to the way your company does business. Look for ways to implement the PCI requirements that will best benefit your business, rather than complaining about the holes it leaves behind. When it’s all said and done, it’s the guy who’s there day in and day out who’s responsible for securing the systems, not the PCI assessor who comes once a year for a week.
Additional note: I think the mailing list Andy and Alex mention is the PCI Standards list on Yahoo. I created this group about 18 months ago and still approve new members. It’s an open group, unmoderated, low traffic and has no official standing with the PCI Council or anyone else. In other words, don’t post any significant details when sending questions to the list.
3 Responses to “PCI is about transfering the risk, not mitigating it”