Musings on PCI by way of (IN)Secure’s June issue

Maybe you’ve already seen it, but I just got around to reading the June issue of  (IN)Secure Magazine today.  Yes, yes… it came out last week, I realize this – but since reading the PDF version sometimes  hangs chrome (and they don’t have or I can’t find a non-PDF feed of the actual articles), I usually put off reading it until I have the spare cycles to wait around for firefox to load.  Meh.

Anyway, all that aside.  My point is that I was reading through the magazine and I came across their article entitled, “PCI: Security’s Lowest Common Denominator” (it’s the cover story).  I do recommend reading it if you haven’t done so – it’s a great call to action and points out some genuine issues with respect to PCI.  There are a couple points made by the article, but much of the thrust is to point out that PCI is not an ideal end state – instead, it should be viewed as the lowest acceptable bar for an organization: a starting point if you will.

So, that is true.  But it also makes me nervous.  Nervous because most organizations are so far away from being compliant that it’s not even funny.  And compared to other regulation, PCI is… well… hard.  The controls are more specific, require specific types of technologies (e.g. IDS, wireless scanning, firewalls, etc.)  So if organizations are having a hard time meeting this, what does that say about the value of other regulatory (I’m looking at you HIPAA)?  If PCI is valueless, these others must be so much more so.  Granted, that’s not exactly what the article is saying, but still…

So, while I agree that it is useful to view PCI as a bare minimum (LCD) and that we should push through to get beyond it, we’re swimming upstream unless we have something to hang our hat on and justify the spend.  I’m thinking risk management, but that’s a topic for another day.