PCI Compliance "Why Bother?"

Alex is convinced that PCI compliance has little to do with information security, at least in terms of companies desire to achieve compliance. It's all about the semantics involved in getting past the legal mumbo jumbo involved in meeting each section of the DSS. His hypothesis is based partially on the questions that are asked in the Yahoo! Groups PCI Compliance group. I'm also a member of that group and I would agree that most of the questions are not "how do I become more secure" but "How do I comply with a particular section?" That is to be expected just because of the nature of the group. It is about PCI compliance and not security in general.

I still have to agree with Alex though. Based on the discussions that I've had with others about their PCI experience and also with vendors the quest isn't "more secure" but "just enough". It appears that companies aren't working towards protecting their networks, systems and data but keeping the auditors happy and getting a check mark in all of the check boxes.

This leads me to wonder then do the auditors need to expand their scope beyond the regulations? Of course not. That wouldn't work because they have to have limits on their power and scope. What we need to do is get management out of the compliance mindset and into the security mindset. This will take time and will require that we be able to quantify the benefit of security. Maybe it's building cases based on past breeches of other companies and showing what the associated costs were. The real cost not the cost that the analysts come up with.

What will actually work better (and in concert with) is to show the vulnerabilities that have been remediated by what has been currently done and those that will be remediated when other controls are put into place. Then show real world examples of how not being affected by these issues saved time, money and resources.

We have to build our case built on reality and not on FUD. A good example (going back a few years) is blaster. Lots and lots of companies were hit time and time again with blaster. Just when they thought it was cleaned up a forgotten system was turned on or a laptop user connected to the network and then it was running amuck again. Yet those companies that had been patching regularly were unaffected. A good plan for maintaining AV (especially in emergencies), patching, keeping up with all systems (permanent and mobile), having the right routing and firewall rules in place, etc... would have kept your company blaster free. Yet most companies did not employ these things.

So back to PCI. I'm not a big fan of security by compliance because human nature causes us to do just enough to get by but it does at least open our eyes to the need for more security. It also (hopefully) paves the way for us to realize that check boxes aren't enough and reach for real security. Build your case and sell it.