Most IT security professionals who must comply with the industry standards to protect credit card data think those standards have no impact at all on actual security, according to new study by Ponemon Institute.
As an Infrastructure and Security Professional, I do not agree with this statement and would welcome the opportunity to review the source survey. PCI DSS has had a huge positive impact (albeit SOX-like painful) and has significantly raised the bar (which was the intent) in protecting Credit Card Privacy information.
10 of the Worst Moments in Network Security History And they say the main benefit of meeting the standards isn't better security, its better relationships with business partners who regard payment card industry (PCI) compliance as an easy-to-read sign that businesses are paying attention to protecting the personal data of people who use credit cards, the study says.
While there clearly have been a number of well documented “PCI-related” data breaches showing up in the news, I see the point that the author is making about Business relationships. Firstly, if you look carefully at the details of some of these breaches, like TJX for example:
Read the WSJ Article (linked above) on the TJX breach. This was a failure of BASIC NETWORK SECURITY Best Practices, notwithstanding PCI guidelines. You may find that many, if not all of the infamous breaches, were a result of less than vigorous compliance.
Secondly, as far as the blogger’s view of the “main benefit” of PCI, notwithstanding the blogger’s sarcasm about Merchant relationships, but a lot of it has to do with liability. The Credit Card companies, The Banks, The Credit Card Processors and ultimately the Merchants, all get named in Lawsuits when customer data is exploited. As a result, PCI is an industry self-governing attempt to curb the liability. That generally translates into greater security controls and governance.
Keep in the forefront that this “survey” was conducted for a Security Software developer, not an industry watchdog group. I offer no disrespect to Imperva. While I HAVE NOT SEEN the survey, I have to question these statements until more details can be made available.
"PCI does not necessarily mean better security within the hearts and minds of respondents," says Larry Ponemon who conducted "PCI DSS Compliance Survey" for Imperva, which makes database and Web application security products.
This next section is particularly perplexing as even lay observers can surmise that PCI controls (if implemented vigorously) provide greater levels of security. Much of PCI is plain common sense and Best Practices.
The benefit of PCI compliance cited most often by the IT security pros polled was that it improves relationships with business partners, not that it made data more secure.
There is certainly nothing wrong with questioning the effectiveness of any industry governance code. My concern here is that the concerns raised by the blogger / author do not “appear” to be based on common sense or yet to be seen facts. Common sense alone (although, common sense apparently is not always common) should indicate that any set of guidelines, PCI or otherwise, would increase effectiveness, let alone the PCI DSS standard which has sustained continued scrutiny from insiders, outsiders and litigators. It is almost preposterous to state that the implementation, compliance and adherence to PCI DSS “standards have no impact at all on actual security”
Let the people decide.
Ne feceris ut rideam
(Don't make me laugh)