Any company makes x profit of which a small % is allocated to security. Nothing wrong in that, the company has other costs and needs to make a profit (and we are in recession after all).

Pre-PCI, all that small budget would be focussed on the high-risk areas. In this case, the web servers that were hacked. Post-PCI, you have over 200 controls to apply to a wide variety of systems.

It’s the removal of a risk based approach, allowing orgs to put budget to the high-risk areas year-on-year, that is the biggest failing of PCI. Nobody is chasing security any more, they are all chasing compliance.

Perhaps the work that Network Solutions undertook to become PCI-DSS compliant resulted in the breech being detected, analysed and remediated in a timely manor that actually reduced the effect of the breech. Any network can potentially be breached, what PCI brings is detective and preventative controls as well as an incident response plan. Perhaps if they had not put all the PCI controls in place the breech may have gone undetected for months even years.

One of the controls of PCI-DSS (12.1.2) is that you conduct a threat risk assessment against your CDE (Cardholder Data Environment). Perhaps today is a good time to take this to your CEO\CTO and ask for time and resource to conduct an assessment.

When your only goal is the bottom line your core business (or at least what should be the core values of your business) will suffer.

You know a risk analyzer somewhere has done the math based on how much the extra security would cost and how likely an event is and how much the fallout from an event would cost and said it just isn’t worth it to spend more on compliance. Additional security is also something that is probably not going to result in additional sales, making it that much harder to justify economically.

In tough economic times, it’s easier to say “let’s do the minimum required, roll the dice on the rest and deal with any problems IF they occur, since they probably won’t.” It’s a bad long-term philosophy, but it usually works quite well in the short term.

In situations where the free market doesn’t force businesses to the right thing you need to legislate it and make the penalties so severe that not complying isn’t a viable option. You hear stories all the time about business that violate regulations for years, make hundreds of millions of dollars in profits from those activities and then get hit with a $50 million fine. It might not be right, but from a business perspective, that’s not a bad deal. If the fine was double your ill-gotten gains, people might think twice about it.

So if you want strict compliance and better overall PCI security make the fines outrageous, something like $1000 per piece of breached data. Network Solutions had 573,928 records stolen. A fine of $573 million makes spending money on better security seem like a good idea instead of an unnecessary expense.

For example they say you have to physically secure the servers, but they don’t say with what. Lock and Key? Machine Sentry Guns? Gas Chamber? Tie a rope around them?

Since they are indeed general and not terribly specific about many requirements, its very valid to say that even you are fully PCI compliant, it doesn’t mean at all the entire network is anything resembling fully secure, but rather that you knew how to implement a few broad guidelines as they relate to payment processing and data storage.

For example, it doesn’t mean every client workstation not related to the payment card systems is fully locked down, content filtered, IPS’s scanned, etc…since that’s not a requirement for PCI specifically.