PCI DSS v3.0 – First Impressions

Have you all seen the ‘sneak peek‘ yet?

I have to admit, that with 3 YEARS to accept and process feedback, I was hoping for a little more in the way of progress.  I’m optimistic that way, but I really should have known better.

Many changes were proposed, lots of the them good, some of them naive and bordering on the comical, but any that made it through are so watered down as to be virtually irrelevant.  And we won’t get any more for 3 more years?

The standard is already behind the times, and is only going to become more so if it does not keep up with payments innovation, and show a better integration with the needs of the business. i.e. STAYING in business.

I have taken the table of changes out of the SSC’s document and added my own thoughts.  Unfortunately they are overwhelmingly negative, and at times my frustration is clear. Go here if you want to download it.

I do however want to make it clear that I’m not against the PCI DSS as much as I appear.  No standard has raised security awareness as much before, or since, and it’s the only one that puts its money where its mouth is.  While there is still some vagueness and room for interpretation, it’s a damned-sight better that just saying ‘use appropriate security based on good practices’ like most do.

The reason I stick to the negative is I’m assuming the positive is self evident, and all I really care about is addressing the gaps to where it should be.  As Ego says in Ratatouille; “In many ways, the work of a critic is easy. We risk very little yet enjoy a position over those who offer up their work and their selves to our judgment. We thrive on negative criticism, which is fun to write and to read. But the bitter truth we critics must face is that, in the grand scheme of things, the average piece of junk is more meaningful than our criticism designating it so.”

This applies every bit as much to my blogs.

I have only addressed the PCI DSS stuff, PA-DSS is not my thing.  If someone wants to take a stab at that, I’ll be happy to post it here as a guest blog.



3 thoughts on “PCI DSS v3.0 – First Impressions

  1. The SSC goes completely against the general trend of the tech industry of prototyping, shipping fast, iterating often and fixing issues on each iteration. But at least it doesn’t take almost 10 years to update like ISO 27001.

    • Could not agree more Bruno, and I dare say the innovation in the payment industry will out-strip both the SSC’s ability to keep, as well as good security practices in general.

      It’s about functionality, we are still not in a place where security is anything but retro-active.

      • And, quite weirdly, as pretty much everything converges to a web services-based model, I don’t see changes to requirement 6.x addressing development issues.

If you think I'm wrong, please tell me why!

This site uses Akismet to reduce spam. Learn how your comment data is processed.