08
Apr
09

PCI Compliance Is Not Enough

In my opinion, Representative Yvette Clarke (D-NY) last week proved President Abraham Lincoln’s statement, “Better to keep one’s mouth shut and keep people guessing, than to open it and remove all doubt.”

Representative Clarke stated, “I do want to dispel the myth once and for all that PCI compliance is enough to keep a company secure.  It is not, and the credit card companies acknowledge that.”  I do not know where Representative Clarke’s aides have been, but I have not seen anything from any of the card brands that would indicate that they have acknowledged that PCI compliance is not enough.  To the contrary, based on the quotes from the card brands that I have seen the card brands and in particular, Visa USA believes that PCI compliance is the ‘Holy Grail’ of security.

Do not get me wrong.  Are there ways that the PCI standards can be improved?  No doubt about it.  However, the sort of standard that Representative Clarke is suggesting in her statements would not be workable, let alone implementable.  Moreover, if Michael Jones, the CIO of Michael’s Stores, thinks that the current PCI standards are overly complex, the standards that Representative Clarke is suggesting would probably take him completely over the edge.

Representative Clarke went on further to point to Chip and PIN as a salvation for security.  Again, Representative Clarke must not have the ‘best and brightest’ on her staff or they would have seen from a Google search that there are significant security issues related to Chip and PIN.  So while Chip and PIN could be a better solution, it is not the perfect solution Representative Clarke seeks.

PCI compliance is enough IF (and that is a big ‘IF’) a company is consistently diligent in applying the PCI standards day in and day out.  It is not the standard that is the problem; it is the consistent application of the standard every day that is the problem.  Why?  Because humans are involved and humans are fallible.

Representative Clarke misses the fact that there is a human element involved in all security and it is that human element that typically is the biggest problem.  Whether it is the programmer writing the firewall or application software, the person that erroneously configures a security device or a human being that misses or mistakenly responds to a security alert, it is those sorts of human errors that result in breaches.  Therefore, unless Representative Clarke intends to outlaw human beings from the practice of information security, she better own up to the problem and admit that breaches will occur regardless of her outrage.  What proper security will do is reduce the number and frequency of breaches, but it will never eliminate them.

What Representative Clarke also misses is that there is no such thing as perfect security.  If there were, banks would not be robbed as often as they are robbed.  Even with all of the sophisticated security in a bank, they are still robbed and fairly often, I might add.  The only reason bank robbers eventually are caught is that they get sloppy – they are human after all!

At the end of the day, even if a company invests in all of the security appliances, policies, standards, procedures and techniques, there is still a risk (small as it may be) that they could be breached.  In addition, no matter how diligent an organization is, they all get sloppy at certain tasks over time creating even more risk.  It is that risk that the dedicated attackers use to breach systems.  Because a dedicated attacker will do whatever it takes to create a breach no matter what barriers are put in their way.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Announcements

If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.

Calendar

April 2009
M T W T F S S
« Mar   May »
 12345
6789101112
13141516171819
20212223242526
27282930  

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,904 other followers


%d bloggers like this: