Aug 09 2009
I wander away from computer for a day or two and see what breaks out, an argument about PCI that I didn’t even take part in. I’m insulted that Nick Selby and Mike Dahn had fun without me! Actually, Nick’s rant on how compliance is the downfall of humanity, or at least security, is amusing, even if it’s a little over the top, but it’s the fact that Alex Hutton admitted he’s come around to appreciating Compliance in the comments that made the whole post worth reading for me. I like Mike’s response and especially appreciate his point that security professionals have to stop using compliance as a scape goat for not securing their data. “I couldn’t secure my company because I was spending too much time worrying about being compliant!”, is the excuse too many security professionals are using. If you’re not close to being compliant through the security efforts you already have in place, your fooling yourself into thinking you were anywhere near secure in the first place!
Nick’s orginal article was interesting and amusing. Mike does a pretty good job of picking it apart and reminding us that the ultimate responsibility for securing the data lies with the security professional, not with PCI or any other compliance structure. But what really makes this whole discussion worth reading is Alex’s comments as well as several of the other comments in the stream. If you don’t read Alex’s blog, take the moment or two needed to add it to your RSS feeds.
I’m one of the first to admit, PCI isn’t perfect. It’s a one-size-fits-all structure that doesn’t really fit any business. It’s a bunch of guidelines and ‘best practices’ that have been thrown together and are slowly evolving into something that might actually be cohesive in another five to ten years. But the point people keep missing is that PCI should not be driving your security philosophy, your security philosophy should be driving you to a position where compliance is just a series of check boxes. If you’re secure, if you’re really taking the steps needed to secure your environment, compliance should just be about validating those controls, not something that’s driving you to distraction and taking up all your time.
Branden Williams recently wrote about this as well. “PCI is easy” PCI is a series of prescriptive controls you need to have in place around your cardholder data. If you’re securing your data properly, then it shouldn’t be a big stretch to become PCI complaint. But if you want an idea of how secure a company would be without PCI, take a few minutes and review there cardholder data environment after they’ve had a good QSA on-site and compare it to the rest of their environment; if all, or even most, of the same controls are in place around the rest of their network, chances are they were secure in the first place and didn’t need to do a lot to be compliant. On the other hand, if you look at a company who’s non-PCI network is much looser and less secure than their PCI network, you have a pretty good idea of how insecure their environment would be without compliance. How does your own PCI environment differ from the rest of your production environment? If you can’t say that your non-PCI environment is as secure as your PCI environment, you’ve already lost the argument of against compliance.