24
Jan
10

The Great PCI Debate

If you have a chance, download a copy of this podcast.  There are two parts plus a transcript and it is well worth the effort.  I would like to thank Bill Brenner and Martin McKeay for having the foresight to get together a panel of people to discuss this topic.  I would also like to thank the panel for providing probably the best discussion yet of the pros and cons of PCI.

  • Jack Daniel, a member of the National Information Security Group (NAISG)
  • Ben Rothke, senior security consultant for BT Global Services
  • Dr. Anton Chuvakin
  • Ward Spangenberg, a Seattle-based security consultant
  • Michael Dahn, a PCI QA manager and director for the InfraGard National Members Alliance (INMA)

Based on my interpretation of the podcast, here are the take aways that I got from listening to this great discussion.  Interestingly enough, some of them may sound very familiar.

  • Security is not perfect.  There will always be a risk no matter what you do.
  • There will always be organizations that just do not get it and never will.
  • If controls are not consistently implemented, maintained and monitored, then your security measures will not matter.
  • The PCI DSS is common sense not rocket science.
  • The PCI standards are not perfect, but they are better than nothing.
  • The PCI standards are a bare minimum and you must go beyond them to better ensure security.  However, if you can consistently execute the bare minimum, you are ahead of the curve.
  • Most Level 2, 3 and 4 merchants are clueless about security let alone the PCI standards and will likely remain targets.

For reference, I have put in links to those relevant postings that I made on similar topics over the last year.

Advertisements

1 Response to “The Great PCI Debate”


  1. 1 scott
    January 26, 2010 at 8:42 AM

    Point – counter point

    * Security is not perfect. There will always be a risk no matter what you do.
    BUT, when you are compromised we will act stunned and throw you under the bus claiming you should have done more.

    * There will always be organizations that just do not get it and never will.
    BUT, we won’t make a distinction and define rules and regulations that assume all merchants and processors don’t get it. It makes it easier to throw you under the bus when a breach occurs.

    * If controls are not consistently implemented, maintained and monitored, then your security measures will not matter.

    * The PCI DSS is common sense not rocket science.
    BUT, many of the items that can result in non-compliance do nothing to add security to system.

    * The PCI standards are not perfect, but they are better than nothing.
    BUT, we make statements that it is the perfect solution and if you are breached it is obvious that you did not follow all of the imperfect rules.

    * The PCI standards are a bare minimum and you must go beyond them to better ensure security. However, if you can consistently execute the bare minimum, you are ahead of the curve.
    BUT, no matter what lever you maintain, if breached watch out for the bus.

    * Most Level 2, 3 and 4 merchants are clueless about security let alone the PCI standards and will likely remain targets.
    BUT, we sure want you level 2, 3, and 4 merchants to continue accepting our insecure payment product.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Announcements

If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.

Calendar

January 2010
M T W T F S S
« Dec   Feb »
 123
45678910
11121314151617
18192021222324
25262728293031

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,868 other followers


%d bloggers like this: