Sep 23 2009
A new survey has been released by Imperva and the Ponemon Institute concerning the effectiveness of PCI; despite the best intent and efforts of many security professionals, this survey points out that PCI is only having a limited effect in stopping digital thieves from stealing credit card information. One of the most telling statistics from the survey is that the majority of companies, 71%, treat PCI as a tactical maneuver rather than strategic initiative. In other words, too many companies treat PCI as a check list of requirements rather than using it as an overarching plan. And in the end, the check list approach is always going to be less secure and leave more vulnerabilities than viewing PCI as something to be incorporated into long term thinking on security.
It’s not that PCI is ineffective in and of itself; there’s few who can still argue that the PCI requirements aren’t basic security measures that should be implemented by almost every business. You can argue that PCI doesn’t go far enough or that there’s too much left open to interpretation, but the majority of the PCI requirements are logical and make sense to implement. The Ponemon survey does point out one of the major flaws of the system is that merchants are only looking at credit card numbers, leaving large amounts of other information such as Social Security numbers and bank account details. And as much as I wish PCI could address this data as well, it’s going to remain outside of the purview of the credit card industry for the foreseeable future.
What’s ineffective is how we use PCI to secure our enterprises. Only 27% of all companies are using PCI as a lever to raise awareness of security in their enterprises. And by ‘raise awareness’ I mean ‘get the money to implement needed security measures’. Security is always a fight for the budget needed to implement, in large part because preventative measures are a hard sell when you can’t point to direct consequences or benefits. I’ve always argued that the greatest benefit of PCI is to be had by using it to garner support for security initiatives and gain the resources needed to implement security measures. However, it requires thinking about security strategically, which can be very hard if you view PCI as just another set of requirements that are getting in the way of doing your job.
And that is the crux of an effective implementation of PCI versus an ineffective one; if you view PCI as a part of your security program and something that can be used to implement security, then the chances of it positively impacting your enterprise are pretty good. But if you view PCI as just another annoyance that’s distracting you from your real security job, the chances are it will have little or no positive influence on your security posture. Like so many things in life, the effectiveness of PCI is going to be based on how you look at it and how you choose to incorporate it into your strategies. Funny how that works, isn’t it?
If you haven’t read it yet, you owe it to yourself to download and read the 2009 Data Breach Investigation Report from Verizon Business. It backs up much of what the Ponemon Institute has discovered and should be required reading for every serious security professional. You can also listen to my interview with one of the authors, Wade Baker, from this year’s RSA Conference.