Archive for April 2nd, 2010


PCI For Dummies

Is it just me, or is there a move afoot to make security idiot proof?  The reason I ask is that I keep getting emails from various sources indicating that they have developed a white paper entitled ‘PCI for Dummies’, ‘PCI for Idiots’ or ‘Making PCI Compliance Easy’.  Hello!  Get a clue out there!

To paraphrase Tom Hank’s character in ‘A League of Their Own’, “There’s a reason security is hard.  If it wasn’t hard, everyone would do it.”  Security is not always simple, it is not always easy.  Security usually requires thought, diligence and consistent execution.  And in some cases, security may require a lot of thought and a lot of effort.  The reason?  The bad guys are hoping that people are complacent in their protection of their data.  They hope that we “drink the Kool-Aid” and believe the hype of the white papers.  The bad guys hope that you think because you have the latest and greatest security widget that PCI compliance has been knocked off your to-do list and you can move on to ‘real’ work.

The thing that a lot of people get wrong about security is that they think that it has a start and an end.  And that is the problem with security; it has never been a destination, it is a journey.  Security is a never ending struggle between the “haves,” in the case of PCI those organizations that have cardholder data, and the “have nots,” in this case the “bad guys” that want cardholder data.   Just when you think you are done, a new threat or risk pops up and the process of securing your organization starts all over.  And if it is not a new threat or risk, then it is someone that gave away their password, was polite and violated your physical security protocol by opening a secured door for someone, borrowed their access card to someone or left their netbook unsecured in their hotel room while they were at dinner or the room was cleaned.

PCI compliance is no different.  Your preventative and detective controls such as firewalls, intrusion detection and monitoring typically work fine as long as they are maintained and your users do not circumvent them.  However, monitoring also involves corrective controls and that is usually where people slip up.  It is the correction process that is so important.  While you can rely on vendor patches and maintenance to keep the widgets working, if you are not correcting problems, your security will gradually get weaker and weaker.

There is a great t-shirt out that says, “Just when you think you have made something idiot proof, someone goes out and makes a better idiot.”  Some users are better than others.  Some users are never going to get it.  It is the users that never get it that will hurt you.  However, we all have days where we get suckered for one reason or another.  With the sophistication of some of the attacks these days, it’s surprising that more people are not affected.  However, without an active security awareness program, you will never get people trained to suspect “odd” requests, stop opening attachments and falling for all of the obvious scams.  There is no security awareness program that is 100% successful.  But if you do not have a program, all of your other security efforts will be wasted.

That said one of the biggest “dummies” is likely in that large corner office.  It is not that your CEO/CFO/COO/CIO does not care, they really do care.  It is just that they likely have no idea how to approach the problem of security and how to address it.  Even more likely, they do not realize that it is a never ending effort.  As a result, the first thing you need to do is educate the C-level people in the ways of security.  You do not need to teach them the nuts and bolts, just the 50,000’ view.  But they are also likely users, so do not pass up the teaching moment.  Make sure they participate in your security awareness program which is another opportunity to train them.

As a lot of you have commented, I really do have a thing about security not being perfect.  It is an important message that needs to be delivered.  However, that message needs to be delivered carefully.  Security may not be perfect, but without peoples’ diligence there is no hope of coming close.  And that is the message today.


Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

April 2010