Fun times continue with PCI DSS. Anyone with an idea of security saw all of this coming (and this can be applied to any security checklist…):
1. PCI “compliant” firms suffer breach.
2. Companies/people question PCI.
3. PCI blames firms for not being perfect every moment of every day.*
4. PCI DSS is only guidelines, checklists, that don’t actually DO the securing in and of itself
We’ve all just been waiting for more inevitable data points on the grid of this argument.
The argument revolves around how PCI markets their DSS and how people accept it. If PCI markets it as a rubber stamp approval of ultimate security, they fail. If people expect PCI to be perfect, they fail. PCI can fix this by simply adding the byline: “…this is where you start with security, but this is not alone a guarantee of security.”
Of course, we all know how that will be taken: “If it’s not perfect, it’s useless!” Which is an immature (or common business) argument in a realm where perfection is not possible. Sadly, and this is where the media sucks (and rightly milks it for the hits/attention) and the General Public only has immature thoughts about security. But still, PCI fails for allowing the perception that its DSS will save you, even if that was their intention in the first place.
PCI is no better than any checklist or list of best practices.
* PCI can weasel out of any blame any given day. Just blame the QSA and/or the firm. This is another “law” of security, not just cyber but every sort of security from war efforts to the war on drugs: You can always naysay because there is no ultimate “win” and no ultimate definitions. Another “law” illustrates this, “You *will* suffer a security incident.”
PCI DSS is about compliance, not security. Organizations are getting breached not because the DSS is weak, but because those organizations are not taking responsibility for their own security.
I know, I know…it’s not “proper” to blame the victim. However, I’ve been involved in a number of responses to data breaches, even with customers who had said, “no, we doing want a monitoring solution, we don’t want you to train our first responders, and we don’t want you to help us develop a prevention/detection/response plan…we just want you to come when we call…” It’s those same customers that get notified by outside third parties when they’ve been breached, and only call for assistance a week or more later, due to the fact that corporate leadership and legal are trying to figure out what to do.
We’re not talking about rape victims here, and we’re not saying, “you brought it on yourself.” What we are saying is that with all the warning signs, fences, and everything that’s been said to try to get your attention, you still walked into the lion’s den with pockets full of raw meat.