Tuesday, April 6, 2010

PCI III: Addressing the Criticisms of the PCI DSS – Scope of Protection

In Part II of my PCI series, I listed the criticisms of the PCI DSS I’ve heard to date and asked for readers to add to the list. Nothing’s been added to date, so I’m going to address the list I have. If more criticisms are raised later, I’ll address them at that time.

Criticism: Achieving PCI DSS compliance will does not protect all private information from all threats.

I don’t think this is a valid criticism. It’s an absolutely true statement, but it’s not a valid criticism. It’s also a true statement that a Kevlar vest won’t protect you from drowning, but that’s not a valid criticism of Kevlar vests. Kevlar is designed to mitigate the risk of getting shot, not every single thing that can kill you. If Kevlar was designed to prevent drowning, it’d look a lot less like Kevlar and a lot more like a life vest. Similarly, PCI only mitigates the risk of credit card number theft, not every single thing that you can have stolen. Few people are likely to require you to wear Kevlar when they should be telling you to wear a life vest, and a good thing!

A problem arises, however, when a company subject to PCI DSS compliance figures they can cut some corners and achieve broad security goals through the application of a narrowly designed standard. It’s an approach doomed from the start because the PCI DSS is only concerned about the merchant’s/service provider’s risk insofar as the merchant has a liability to the card brands if they don’t adhere to the standard. As I wrote before, PCI is about mitigating the card brand’s’ and the consumer’s risk associated with permitting that merchant or service provider to handle credit cards. Square peg in a round hole, ugly duckling is a beautiful swan, brings a knife to a gunfight, pick the metaphor of your choice this bus simply doesn’t go to that station.

It can, however, get you on your way, and I do know someone who survived bringing a knife to a gunfight. A PCI-DSS compliant set of people, process, and product can be leveraged to protect other information assets. I do know someone who survived bringing a knife to a gunfight. Likewise, a comprehensive information security program can provide PCI DSS compliance with a minimal amount of tweaking – if you happen to have one of those in place. A disturbing number of companies spent decades ignoring warnings to mitigate their risks and now chickens are coming home to roost. (I don’t think I have enough metaphors in this one…)

I think this criticism is more properly addressed to those who see PCI DSS as the latest Answer To All Their Prayers… and to those vendors who position it that way in order to sell something. I’m not going to name names at this time, but if you’ve got some maybe we can start a hall of shame.

My readership may be small, but it’s diverse. Do you see this sort of thing in your personal and professional lives? What are some examples of successfully using one tool for many purposes? What horror stories arise from trying to use a screwdriver as a hammer or vice versa? Think I’ve missed something about this criticism? I’d love to hear about it.