* Posts by David Gamey

1 publicly visible post • joined 15 Apr 2008

Regulatory compliance 'irrelevant' to security

David Gamey

Did he actually read the standard ....

Lots of vendors are using the PCI DSS as a standard or lightning rod for their own agenda.

Last week Fortify's Brian Chess opined that the breach at Hannaford was likely malware and not an inside job. Shortly afterward, news outlets are reporting this as fact. The jury's still out.

Compare what has come out in the news after the Hannaford breach compared to the TJX breach over the same period of time. After TJX it was fairly obvious looking at the available news that they likely had multiple areas where they were out of compliance with the PCI standard. With Hannaford, it is less clear. Now they may be better at controlling the release of information than TJX was. Or they may have been better controlled. The story will come out, but in the absence of real information speculation shouldn't be taken as news.

Now Rapkin is blaming a standard for the check box mentality held by many people. It is in the nature of people to do this. No standard will ever change this. Now Rapkin's position is less blatantl than Chess's, but I have to wonder if he's actually read the whole standard. Or has he just looked at the technically prescriptive parts and found them wanting from his perspective? (Or hast he interviewer left out those bits).

The standard as well as having lots of technically prescriptive parts has some governance parts that are important. Compliant organizations have to include specific due diligence in the management of their contracts. They also have to have ongoing risk assessment processes. That should address a lot of those security concerns.

Rapkin seems to make a common mistake. That is equating how an organization demonstrates compliance versus their being compliant.

Sure the standard has flaws. Nothing in the real world is perfect. And there are lots of ugly bits in it. Are there ways to make it better? Certainly there are. There are also lots of ways it could be made worse.

To some degree it is a case of locking the barn door after the horse has left. Except there are lots of barns and lots more horses. Some have said PCI is an expensive fix. But is the alternative really no more horses and barns? And the DSS isn’t the whole picture either. There are other PCI standards, there is chip and pin, and other practices are needed. None are perfect. They have flaws. Those flaws need to be worked through. Yes it would be nice to get better security out of the gate. There are lots of people working towards that goal. And they don’t always agree. The point is that it’s going to be an evolving processes.

By definition this area is a moving target, an arms race of sorts. It will also have to change as the criminals shift their attacks. And they will shift their attacks as the easy holes get closed off. A new version of this standard is due this fall. When it comes out, it should be better. But then the criminals certainly aren’t sitting still either.