Anton Chuvakin posted over a week ago about some possible reasons why Heartland Payment Systems had their data breached. After his 5 examples, he concludes that none of them specifically follow that PCI failed or is irrelevent. In a way, he is correct, but what we’re doing here is playing with semantics vs perception. (Something we who throw around the term “hacker” often should be very intimate with.)
If PCI didn’t fail in any of those cases, one could argue that PCI will never fail us. That means PCI compliancy doesn’t offer much beyond any other list of Best Practices. Best Practices that are required. We’ve known for some time that PCI is just a general guideline. But there is either a perception problem on those adopting PCI, or a presentation problem by the PCI Gods that are requiring it.
If PCI can’t be blamed for anything, then what value is there? If PCI doesn’t allow a CTO to shift blame onto it (or a QSA) when things go wrong, there are plenty who then see no value in it. In which case it is just a requirement to meet in the least painful/costly fashion possible (which does not preclude simply lying about it). And then there truly is no value in it for those persons.
I don’t agree with that position, but it exists whether I like it or not.
Maybe the underlying concept we need to continue to hammer out is: Security is not easy.* Security is hard work. Security is not always cheap. Security costs money. I’m sure there is a haiku in there somewhere…
* Just think of all those painful experiences trying to align secure practices to people and a business. Years of those experiences, trying to guide the moving waters of a river to where you want them to flow. There are small and large security battles lost every day, and poor individual decisions made constantly and gambles accepted. We’re certainly not in it bcause the job is easy!