PCI is an easy horse to beat when looking for impassioned discussions with other security profressionals. Sadly, too many discussions just talk about “how-it’s-not-perfect-so-it’s-dumb” vs “I-didn’t-have-budget-before-but-I-have-it-now” points, and don’t get down in the trenches of the issues, as it were. Mr. PCI Guru has a lengthy, deeper post, “The Failure of PCI?” which hits many points I sympathize with, like this:
A lot of QSAs are great technologists, but would not know a good or bad control environment if it bit them in the posterior. Fewer QSAs and most ISAs know controls, but would not know a proper firewall or router configuration to save their lives. And finally, there are a very, very few QSAs and some ISAs that know the technology and controls. Unfortunately, the PCI SSC has not found the way to winnow out the QSAs and ISAs so that only the ones that know both technology and controls remain.
General media is a problem when it comes to security. Security is a nuanced, complicated topic to talk about, and media, even IT/security media, doesn’t have the patience or expertise to usually talk properly about it. Instead we get dumbed down and overly simplistic headlines and quotables like how PCI works if you follow it or PCI doesn’t work because a breach happened. None of it does anything except stir the pot and makes those who quote the quotes (read: poor CTOs) look idiotic in front of their (maybe) talented staffs.
Or maybe better yet, the PCI Council/DSS is in a weird position of trying to defend itself while also wipe its hands clean when necessary. That’s an unfortunate position, but is a PR/positioning problem. (Actually, this *may* end up being a legal/insurance/CYA problem at the root…)
But that’s not a PCI problem, per se, rather than overall security.