26

Might as well bring this hot topic to here!

For those not in the know: https://www.pcisecuritystandards.org/

AviD
  • 72,708
  • 22
  • 137
  • 218
Tate Hansen
  • 13,794
  • 3
  • 41
  • 84

5 Answers5

32

A good question, but perhaps you should phrase it "Does PCI harm security".

To answer both questions, I would differentiate very roughly between two types of organizations (even though most fall in between these two extremes):

  • Security-conscious organizations, that routinely perform business-risk based analysis, have a comprehensive SDL in place, perform all the right moves, etc.
  • Security-unconscious organizations, that have no interest in anything they are not absolutely forced to do, and especially not if it doesnt make any money.

For the second group, PCI absolutely helps, a lot, in the following ways:

  • Awareness (now someone is at least allowed to mention security, and hopefully they're all talking about it)
  • Budget - since otherwise management would never have allocated any resources whatsoever to invest in any form of security, now at least they are forced to at least pay lip-service.
  • Minimal baseline of least common denominator activities. (Hopefully this includes training the developers, which helps more than any regulation...)

Basically it forces them to acknowledge security, and hopefully some additional good will come out of it.

For the first group, there are two (two and a half) main consequences:

  • There are (rare) situations where the organization has to choose between a real security solution, and compliance with the generic baseline LCD.
  • Budget is now forcefully allocated to the minimal, generic baseline LCD as defined by some external group that knows nothing about their business. (This budget would probably be more useful in different security activities / products / etc).
  • Management is quicker to pass on any security investment that is not mandated directly by the PCI - "if they don't need it / if its good enough for them without, why should we bother?" or "If it was important, PCI would have required it".

In this case, PCI is doing more harm than good, since getting them to build in security is not an issue for these orgs.

However, one benefit of PCI compliance that is shared across the board:

PCI compliance reduces the risk of the penalties of non-compliance.

AviD
  • 72,708
  • 22
  • 137
  • 218
  • 16
    Heh, the more I think about it, the more I like that last note. I think I'm going to reuse it... So I hereby proclaim AviD's *Law of Compliance*: "PCI compliance reduces the risk of the penalties of non-compliance" :D – AviD Nov 22 '10 at 20:47
  • That law generalises nicely to: "Compliance reduces the risk of the penalties of non-compliance." Works as well for SOX or NYSE listing requirements as it does for PCI. :) – caelyx May 05 '11 at 05:27
  • @caelyx, you're correct - this was my first iteration of that "law", on later questions here it was already generalized. :) – AviD May 05 '11 at 05:37
9

The first thing you need to be aware of is that PCI DSS is NOT intended to protect your organization. It is intended to protect the payment networks and the payment ecosystem. This may sound odd to many, but just ask Visa and Mastercard.

I agree with AviD's comments. "PCI Compliance" reduces some specific risks and probably makes those organizations (that aren't doing anything) more secure. But PCI compliance should not be any organizations ultimate goal.

Another thing to make clear is that there is a BIG difference between "PCI Compliance" and actually exercising all of the requirements of PCI DSS in a manner that is commensurate with the risk. Many organizations are "Compliant" (or think they are) today because of someones poor interpretation of PCI DSS or because they didn't do a full gap assessment.

ken5m1th
  • 91
  • 2
  • but that's part of the problem - all that matter is that you are "compliant". There is no PCI benefit to doing anything beyond that. Of course I agree in principle with your comments on goal and risk, but that's not required by PCI - or even encouraged. – AviD Nov 22 '10 at 13:40
  • To elaborate that last point - PCI compliance removes from the organization the ability to apply any risk management or contextual analysis - you have to comply with THIS, and thats it, no choice about it. – AviD Nov 22 '10 at 13:41
8

As experience, i did work for a credit card processor, PCI helped us to

1) Get attention from the high-level managers (security became important when they heard that we could loose the rights to work with VISA and Mastercard).

2) Security got the chance to become part of the development lifecycle in the whole company, and the developers started to think 2 times before to give a solution like "save the security number in this txt and let it there, laying around, in a desktop used by 30 people"

3) Security got budget to handle the legacy, put it compliance, rethink old solutions and find new solutions for old hacks

So in my opinion, be PCI compliance don't make your company more secure, yes, it has the main focus to protect VISA and Mastercard, but it will open some doors to security, it will give you more budget and it can help you to review your legacy and be more diligent with your software development lifecycle in general.

VP.
  • 1,053
  • 1
  • 11
  • 12
3

PCI DSS helps the PCI SSC (PCI Council) make money, and lots of it.

It also helps the PCI SSC partners make money, and lots of it.

It does not "help" security, or the security community in any particular way. I can cite numerous examples of how it hurts the information security posture of organizations and hinders their ability to perform adequate information security management and risk management. However, the best example is that it takes money away from good projects and delivers it into the hands of the PCI SSC and their partners (see above), which always seem to fund bad projects. This is also how SANS works.

Saying that PCI DSS compliance reduces risk and improves security is like saying that Jenny Craig (or Weight Watchers) reduces fat and improves happiness.

atdre
  • 18,945
  • 6
  • 59
  • 108
3

I'd say there are quite a few things in the PCI-DSS that make sense for a lot of companies to be doing (even when not processing creditcards), and that yes, when implemented properly this can make an organisation more secure. Beyond that, it all depends on the mentality (regarding PCI-DSS) of the organisation trying to achieve PCI-DSS compliance.

NSSec
  • 459
  • 2
  • 5