Skip to content ↓ | Skip to navigation ↓

I read an article this morning from CSO Online, which talks about the PCI debate.  “Well, which one?” you ask. Reasonable question.

The ongoing debate concerning PCI’s effectiveness is nothing new.  It seems that we’ve had this debate for every compliance effort – from the government to the private sector, from ISO 27000 to DoD 8500.  The debate won’t go away, but it should change.

The truth is that PCI does help.  If you’re PCI compliant, you will necessarily pick off some low hanging fruit, which necessarily reduces your risk of compromise.  Consider the 2011 Verizon DBIR (PDF), which noted that 92% of attacks were unsophisticated and that 96% of breaches could have been prevented with “simple” or “intermediate” controls.

Here’s another way to look at it.  You’re either running with File Integrity Monitoring (FIM), which PCI requires, or you’re not.  If you’re running FIM from a reputable vendor providing relevant, up-to-date content (nudge, nudge, know what I mean?), then you are – at the very least – mitigating those unsophisticated attacks.  The same can be said for other controls levied by PCI, or other frameworks for that matter.

If these points aren’t enough, have a look at these Tripwire posts from Cindy Valladares: PCI DSS Compliance: More Carrot and Less Stick, and How to Achieve Better Security.  The latter post features a video of Josh Corman and Mike Dahn.  Smart folk they are.

What PCI isn’t: A security panacea.  Neither is ISO 27000, the German BSI, Australian ISM, HIPAA, or FFIEC guidance.  Recent breaches in the news have reminded us of this fact. But, as I’ve said before, compliance isn’t dead.  Not even close.  Instead, we are, as an industry, starting to recognize that compliance isn’t focused on the right things – it’s focused on the bureaucratic notion of ensurance rather than the security-focused notion of assurance.

Ensurance is important, but only if the processes you’re ensuring are effectively centered on information assurance.  This is a lot like process for process sake, something I’ve written about over on Stoic Security.