Monday, March 22, 2010

PCI II: Criticisms of the PCI DSS

Having given a very brief explanation of the PCI DSS standard and how the credit card industry manages it’s risk by requiring merchants who want to use credit cards adhere to it, I’m going to continue this series by discussing the controversy surrounding the standard.

Let me begin by stating the position I intend to defend in this blog: I believe the requirement that merchants and service providers adhere to the standard is an appropriate means of mitigating the credit card company’s risk – to say nothing of consumers. I believe that PCI DSS compliance benefits credit card companies, consumers, merchants, and service providers. In every PCI DSS engagement I’ve been involved in, becoming compliant has directly resulted in the merchant or service provider mitigating their own risk. This is not to say that the standard is perfect – the PCI council recognizes that and the standard evolves as a result.

Finally, if a business can’t afford to be PCI compliant, they can’t afford to possess credit card information and the penalties of PCI DSS noncompliance correctly highlight this fact. There are ways for such businesses to accept credit cards from customers without posing an undue risk to their customers, and it behooves them to avail themselves of those methods and services.

I want to be sure that I’m addressing all the criticisms of the standard, so I’m listing the ones I’ve picked up to date:

  1. Achieving PCI DSS compliance will does not protect all private information from all threats.
  2. PCI DSS compliance has commanded resources that might have otherwise been spent on projects of more importance to a given company’s Infosec department.
  3. The cost of achieving PCI DSS compliance puts it beyond the reach of small merchants, exposing them to fines and liabilities that could well be rapidly ruinous to their businesses.
  4. The assertion that “None of the merchants that have been compromised are PCI DSS compliant” is a tautology because vagueness in the standard permits the Council to retroactively declare any merchant who has been compromised non-compliant.

If you have or have seen another one, please comment and let me know.