Archive for April 8th, 2009


PCI Compliance Is Not Enough

In my opinion, Representative Yvette Clarke (D-NY) last week proved President Abraham Lincoln’s statement, “Better to keep one’s mouth shut and keep people guessing, than to open it and remove all doubt.”

Representative Clarke stated, “I do want to dispel the myth once and for all that PCI compliance is enough to keep a company secure.  It is not, and the credit card companies acknowledge that.”  I do not know where Representative Clarke’s aides have been, but I have not seen anything from any of the card brands that would indicate that they have acknowledged that PCI compliance is not enough.  To the contrary, based on the quotes from the card brands that I have seen the card brands and in particular, Visa USA believes that PCI compliance is the ‘Holy Grail’ of security.

Do not get me wrong.  Are there ways that the PCI standards can be improved?  No doubt about it.  However, the sort of standard that Representative Clarke is suggesting in her statements would not be workable, let alone implementable.  Moreover, if Michael Jones, the CIO of Michael’s Stores, thinks that the current PCI standards are overly complex, the standards that Representative Clarke is suggesting would probably take him completely over the edge.

Representative Clarke went on further to point to Chip and PIN as a salvation for security.  Again, Representative Clarke must not have the ‘best and brightest’ on her staff or they would have seen from a Google search that there are significant security issues related to Chip and PIN.  So while Chip and PIN could be a better solution, it is not the perfect solution Representative Clarke seeks.

PCI compliance is enough IF (and that is a big ‘IF’) a company is consistently diligent in applying the PCI standards day in and day out.  It is not the standard that is the problem; it is the consistent application of the standard every day that is the problem.  Why?  Because humans are involved and humans are fallible.

Representative Clarke misses the fact that there is a human element involved in all security and it is that human element that typically is the biggest problem.  Whether it is the programmer writing the firewall or application software, the person that erroneously configures a security device or a human being that misses or mistakenly responds to a security alert, it is those sorts of human errors that result in breaches.  Therefore, unless Representative Clarke intends to outlaw human beings from the practice of information security, she better own up to the problem and admit that breaches will occur regardless of her outrage.  What proper security will do is reduce the number and frequency of breaches, but it will never eliminate them.

What Representative Clarke also misses is that there is no such thing as perfect security.  If there were, banks would not be robbed as often as they are robbed.  Even with all of the sophisticated security in a bank, they are still robbed and fairly often, I might add.  The only reason bank robbers eventually are caught is that they get sloppy – they are human after all!

At the end of the day, even if a company invests in all of the security appliances, policies, standards, procedures and techniques, there is still a risk (small as it may be) that they could be breached.  In addition, no matter how diligent an organization is, they all get sloppy at certain tasks over time creating even more risk.  It is that risk that the dedicated attackers use to breach systems.  Because a dedicated attacker will do whatever it takes to create a breach no matter what barriers are put in their way.


Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

April 2009