Anyone who’s worked in PCI for more than 5 minutes knows it has serious limitations with regard security. Even security of cardholder data, which is the only type of date to which it relates!
That’s because PCI DSS was not written with comprehensive security in mind, or would not start and end where it does. It was designed to be security-enough to keep the US Federal Government off Visa/MC/Amex/et al backs. You would not be surprised to hear that things like this generally happen when someone important is inconvenienced. In this case, a couple of senators were the victims of credit card breach.
Good security never ends, but it almost always starts with a business need, followed by a Risk Assessment. The end of a security life cycle instance is when the business continuity plan has been updated, and security processes become business as usual. PCI builds in the Risk Assessment (that’s what the 260-odd controls are), does not allow for residual risk, and stops at Incident Response.
In other words, and if you take the PCI DSS to the negative extreme, neither the card brands nor the SSC care if compliance fits your business needs, nor does it care if you even stay in business (as long as the cardholder data is safe).
Clearly this is not the case, they do care (to a point), but the issue is that the majority of organisations working towards compliance either do not care about security themselves (it’s just another cost of doing business), or they do care and just don’t know how to go about it.
So where is the good in PCI? It’s twofold (for the purposes of this post);
1. It has significantly raised the profile of security in general as a business necessity, and;
2. It has driven innovation to an amazing degree into a SIXTY+ year old payment technology …the credit card number (blog pending on this).
OK, so the PCI DSS is limited, but at least they did what NO-ONE has done before, or since; actually defined what they consider to be a minimum standard of data protection. Every other standard says things like ‘appropriate’, or ‘reasonable’. Appropriate and reasonable to whom? The PCI DSS says you must have a firewall capable of stateful packet inspection, you must have up to date configuration standards, encryption, logging, POLICIES and so on. The way to compliance is WRITTEN DOWN FOR YOU!
Of course, it’s not that easy, and the confusion is where to start, and how to implement compliance in a way that suits the business, not the other way around. A good QSA can help (White Paper: Selecting the Right QSA), but the assessment process starts with the CEO and a culture of security.
The PCI DSS has, and continues to change the security climate for the better, all you need is the right perspective, and the right guidance.