Corporate America has been battered by ineffective information security for a long time, with untold billions of dollars in collective losses through the years. Sites that tracked defaced web pages stopped listing them when they become too numerous to enumerate. Similarly, data breaches are now so common that even large breaches barely make the news.
To the rescue comes PCI-DSS - perhaps the most effective security standard created to date. PCI is a welcome and timely standard, beneficial to consumers and merchants. Yet far too many people have derided PCI rather than defending it, pointing to a few of its shortcomings instead of focusing on its many benefits.
Rather than embracing PCI as a catalyst for security change, people are caught in an information security version of Stockholm syndrome and long for the good old days before standards and regulations.
Stockholm syndrome, for those who have forgotten the 1970s, is a psychological response sometimes seen in an abducted hostage, in which the hostage shows signs of loyalty to the hostage-taker, regardless of the danger in which the hostage has been placed. Stockholm syndrome is also sometimes discussed in reference to other situations with similar dynamics, such as battered person syndrome, rape cases, child abuse cases and bride kidnapping.
People point to the Hannaford Bros. breach and say, Aha! PCI does not work. Even David Hogan, CIO of the National Retail Federation, has missed the point. In a letter to Bob Russo, president of the PCI Security Standards Council, Hogan wrote that "PCI, which has been in existence in one form or another for several years, was supposed to prevent such crimes. It is a valiant attempt to prevent large stockpiles of credit card data from getting into the wrong hands. However, it is unlikely PCI will ever be able to keep pace with the continually evolving sophistication of the professional hacker, or anticipate every possible variation of future attacks."
Hogan's mistake is in thinking that PCI could somehow prevent every data breach. PCI can't prevent every data breach, just as laws against cocaine are powerless to prevent the import of every kilo of cocaine. Even so, it does not mean that these laws should be abandoned.
Likewise, Hogan is correct in his observation that PCI can't keep pace with the dynamic nature of the industry. The fact that Kaspersky Lab's antivirus software updates itself every hour shows just how fast change comes. But the fact that PCI can't stop every breach, or that a compliant company may later be breached, does not mean that the standard should be abandoned. The state of information security at tens of thousands of merchants is nothing less than abysmal. Far too many people are victims of this information-security Stockholm syndrome and need to stop finding fault in the minutiae of PCI.
That is not to say that PCI can't be improved upon. In a Computerworld interview with Bob Russo, he wa forced to defend complaints that the PCI standard is too prescriptive. Yet this same cabal screamed that Sarbanes-Oxley was not prescriptive enough. Russo is dead-on accurate when he notes that "if you open the standard up and show it to any security guy and they don't know it's PCI, [they would tell] there isn't anything there that you shouldn't be doing for security. There are no new concepts, there is nothing strange; we are not making you jump through hoops. These are things you should be doing as best practices."
PCI is good security, and the PCI-DSS practices are good security practices. PCI has come to rescue those suffering from information-security Stockholm syndrome. PCI is good security for everyone. Embrace it, defend it, and improve it.
Ben Rothke , CISSP, is a senior security consultant at BT Global Services , a PCI Qualified Security Assessor (QSA), and is author ofComputer Security: 20 Things Every Employee Should Know(McGraw-Hill, 2006).