Can PCI Compliance Be Maintained?

I am catching up on my reading and ran across an article on Computerworld’s Web site entitled, “Post-breach criticism of PCI security standard misplaced, Visa exec says.”  There are a number of interesting and very insightful quotes in this article that I think deserve further discussion.

The first quotes are from Ellen Richey, Visa’s Chief Enterprise Risk Officer.  In her first quote, Ms. Richey states that the PCI DSS, “remains an effective security tool when implemented properly.”  Later on, she is quoted as saying, “As we have said before, no compromised entity has yet been found to be in compliance with the PCI DSS at the time of the breach.”  And here is the payoff quote from David Taylor at PCI Knowledge Base.  Mr. Taylor states, “It’s easy to find somebody to be in noncompliance if that is the primary goal.”  Bingo!

Do not get me wrong.  I agree whole-heartedly with the concept of the PCI DSS and the other standards.  I think they are a good set of guidelines to ensure that organizations are properly protecting cardholder data as best they can.  What I do not agree with is the concept that seems to be put forth by the card brands and others that the PCI standards are some sort of magic silver bullet and that they cure all of our cardholder data security ills.  Any good security professional knows that they do not and they never will cure everything.  This is why there is a push back on the PCI program.  Good security people know that even if your organization does everything the PCI standards tell you to do, there is still a certain element of risk.  It is that risk that the card brands either refuse to acknowledge or believe does not exist.

Ask any security professional, security is not a perfect or exact science.  It never has been and it never will be.  If it were, banks and art museums would no longer be robbed and once the PCI DSS was implemented at any organization, the organization would never be breached.  Unfortunately, none of these statements is accurate, banks and art museums still are robbed and cardholder data still is compromised.  For whatever reason, the card brands do not seem to understand that the goal of security is to minimize, as best possible, the risk that what you are trying to secure will remain secure.  For example, that can mean that 98%+ of the threat has been removed.  It is that remaining 2% of risk that an organization’s management must be willing to accept.  If they are not, then they need to change their approach to provide a level or type of risk they are willing to accept.

The bottom line is that no matter how much we do and no matter how much we try, there is still a chance, however small, that our efforts will not be successful.  It is this fact that the card brands need to acknowledge and stop touting the PCI standards as the “Holy Grail” of security.  The truth is that, as long as there are people willing to go the extra mile to obtain useful information, there will continue to be data breaches.  All we can do is make it as difficult and unrewarding as possible.


0 Responses to “Can PCI Compliance Be Maintained?”

  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.


March 2009
« Feb   Apr »

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,981 other followers


%d bloggers like this: