Fun times continue with PCI DSS. Anyone with an idea of security saw all of this coming (and this can be applied to any security checklist…):
1. PCI “compliant” firms suffer breach.
2. Companies/people question PCI.
3. PCI blames firms for not being perfect every moment of every day.*
4. PCI DSS is only guidelines, checklists, that don’t actually DO the securing in and of itself
We’ve all just been waiting for more inevitable data points on the grid of this argument.
The argument revolves around how PCI markets their DSS and how people accept it. If PCI markets it as a rubber stamp approval of ultimate security, they fail. If people expect PCI to be perfect, they fail. PCI can fix this by simply adding the byline: “…this is where you start with security, but this is not alone a guarantee of security.”
Of course, we all know how that will be taken: “If it’s not perfect, it’s useless!” Which is an immature (or common business) argument in a realm where perfection is not possible. Sadly, and this is where the media sucks (and rightly milks it for the hits/attention) and the General Public only has immature thoughts about security. But still, PCI fails for allowing the perception that its DSS will save you, even if that was their intention in the first place.
PCI is no better than any checklist or list of best practices.
* PCI can weasel out of any blame any given day. Just blame the QSA and/or the firm. This is another “law” of security, not just cyber but every sort of security from war efforts to the war on drugs: You can always naysay because there is no ultimate “win” and no ultimate definitions. Another “law” illustrates this, “You *will* suffer a security incident.”