I am catching up on my reading and ran across an article on Computerworld’s Web site entitled, “Post-breach criticism of PCI security standard misplaced, Visa exec says.” There are a number of interesting and very insightful quotes in this article that I think deserve further discussion.
The first quotes are from Ellen Richey, Visa’s Chief Enterprise Risk Officer. In her first quote, Ms. Richey states that the PCI DSS, “remains an effective security tool when implemented properly.” Later on, she is quoted as saying, “As we have said before, no compromised entity has yet been found to be in compliance with the PCI DSS at the time of the breach.” And here is the payoff quote from David Taylor at PCI Knowledge Base. Mr. Taylor states, “It’s easy to find somebody to be in noncompliance if that is the primary goal.” Bingo!
Do not get me wrong. I agree whole-heartedly with the concept of the PCI DSS and the other standards. I think they are a good set of guidelines to ensure that organizations are properly protecting cardholder data as best they can. What I do not agree with is the concept that seems to be put forth by the card brands and others that the PCI standards are some sort of magic silver bullet and that they cure all of our cardholder data security ills. Any good security professional knows that they do not and they never will cure everything. This is why there is a push back on the PCI program. Good security people know that even if your organization does everything the PCI standards tell you to do, there is still a certain element of risk. It is that risk that the card brands either refuse to acknowledge or believe does not exist.
Ask any security professional, security is not a perfect or exact science. It never has been and it never will be. If it were, banks and art museums would no longer be robbed and once the PCI DSS was implemented at any organization, the organization would never be breached. Unfortunately, none of these statements is accurate, banks and art museums still are robbed and cardholder data still is compromised. For whatever reason, the card brands do not seem to understand that the goal of security is to minimize, as best possible, the risk that what you are trying to secure will remain secure. For example, that can mean that 98%+ of the threat has been removed. It is that remaining 2% of risk that an organization’s management must be willing to accept. If they are not, then they need to change their approach to provide a level or type of risk they are willing to accept.
The bottom line is that no matter how much we do and no matter how much we try, there is still a chance, however small, that our efforts will not be successful. It is this fact that the card brands need to acknowledge and stop touting the PCI standards as the “Holy Grail” of security. The truth is that, as long as there are people willing to go the extra mile to obtain useful information, there will continue to be data breaches. All we can do is make it as difficult and unrewarding as possible.