The headline of a recent entry in the Securosis blog by Rich Mogull, former Gartner analyst and noted security curmudgeon, was a pointed "Is PCI Worthless?"
Rich argued that PCI is flawed because compliant companies can still be breached. I think I can safely speak on behalf of the 100+ members of the PCI Knowledge Base and the PCI Alliance when I say that we strongly disagree with his conclusion. But before we assemble the groups in the backyard to head over to Rich's house for a good old fashioned ass kicking, we need to consider his arguments.
First, Rich argues that PCI DSS was established to transfer risk from the card brands to the retailers and processors. However, I've worked with a number of retailers on PCI projects over the past few years and, believe me, retailers already own the risk of a breach. It's their brand on the line and they don't need the card brands or their acquiring banks to tell them that.
PCI DSS, by providing a checklist of specific controls and technologies, draws heavily from ISO 27002 and adding an enforcement process lacking in the international standard, provides very useful direction to many merchants and a very handy tool to help security managers justify the purchase of security technologies they had been trying to get for years.
Second, Rich argues that the assessment process is flawed, such that ASVs (he means to say QSAs) are not accountable for the quality of their assessments. There is a real issue here: QSAs do a "point in time" assessment and the PCI process only requires this be done once a year. But a lot can happen in a year. Heck, a lot can happen in a day, such as implementing new applications, changing firewall rules, or re-tuning the IDS.
Any of these things, and many more, can essentially "invalidate" the value of a "Green ROC." But the accountability for these changes has to rest with the retailer who makes them. That's why we need to have sufficient security staff who actually understand the implications of the day-to-day operational changes. No company can simply buy some security software, bring in a PCI assessor for a month and expect that they are "done" with security until next year, then hang any problems in the interim on the assessor.
Third, Rich argues that assessors should not be allowed to certify their own remediation work. On this, we're in complete agreement, and many (but not all) of the retailers and assessors in the PCI Knowledge Base would also agree that this is risky. We wrote about this very problem two weeks ago in this column. We still recommend that retailers ask the same set of qualifying questions of a group of assessors, find two that agree on the interpretation of certain "key" PCI standards, and then use one for the assessment, and the other for the remediation.
The more retailers understand the liability, the more they will realize that PCI and other compliance needs to be "baked" into business operations, not dumped on IT security management.
If you want to discuss this column or any other security or compliance issues, please send me an E-mail at [email protected] or visit www.KnowPCI.com to join the PCI Knowledge Base.