How Good or Bad is the PCI Data Security Standard?
I've been on the road quite a bit the last few weeks, so I've been a little quieter on the blog front than I'd have liked.
In between my stops, I did pick up some of the fodder on the "Is PCI DSS Good or Bad" debate between Mark at Security Buddha and Michael at PCI Compliance Demystified. In full disclosure, I did attend the PCI Conference in San Francisco with Michael. I thought I had a pretty thorough grasp on PCI compliance, but Michael really knows his stuff.
A few points I'd like to make.
First, we have to remember the PCI Security Standards Council is still in its infancy as the standards body overseeing the PCI Data Security Standard. As a member of the Council, I had the opportunity to participate in a member webex. This was an initial effort to foster direct communication among the members of the group (who, by the way, make up a broad spectrum of the various constituencies the standard impacts (less consumers)).
Based on what I heard, I am confident there will be ample opportunity to communicate the weaknesses within the 1.1 version of the standard, so that continued improvements will be made. Can we say the same for Sarbanes-Oxley, HIPAA or GLBA? Who are the standards bodies (SEC, PCAOB, HHS, FFIEC, FTC) overseeing those compliancies soliciting for feedback? Anyone?
Second, and more importantly, while efforts to tighten up compliance standards so they will not just prove compliance, but a serious commitment to a secure environment, must continue, the real issue continues to be enforcement...and enforcement of penalties for non-compliance.
In pouring through some past issues of Network Computing, I came across Patrick Mueller's article on some recent FTC action related to a data breach of an insecure e-commerce server. Now, there's a lot of twists and turns to this particular story that are interesting, but the thing that stood out to me like a giant billboard was this: "It became the FTC's 14th data-security case." 1,400 wouldn't have surprised me. I might have done a double-take at 140. But, 14??
We're not even talking about non-compliance here. We're talking about breaches. I don't know about you, but I certainly read about a lot more than 14 of those...a month!
Once again, there is no accountability placed on organizations to take information security seriously.
You raise a few interesting points Alex. I agree that enforcement is still a weak spot in DSS, but we're taking a giant leap now that security is finally being taken seriously within that field.
The other day I came across an interesting whitepaper which might be interesting for readers of your blog who are less well versed when it comes to PCI DSS: http://www.gfi.com/whitepapers/pci-dss-made-easy.pdf
Posted by: Securityphreak | June 22, 2007 at 10:18 AM
Hi Alex,
Michael is pretty passionate about PCI, and I think he has convinced both of us that PCI is fundamentally a good thing. He also encourages everyone who contributes to PCI Compliance Demysitified to be as neutral as possible, which I think makes it very fair, but often difficult to have debates like this.
In short, I agree with his belief that PCI is good, certainly better than no PCI, and at the very least a step in the right direction. What is difficult is the lack of pain associated with PCI.
Whether this is due to organisations, card companies, the FSA, the legal system (I have posted about our lack of disclosure rules in Europe a number of times), users or hackers is open to interpretation.
Rob.
Posted by: Rob Newby | March 28, 2007 at 11:58 AM