PCI irrelevant? Or is it just us assessors?

It seems that the world’s abuzz with thoughts about the utility of PCI. Not surprising in light of the worst credit card breach of all time happening just the other day.

So, first I saw Alex’s take over at RiskAnalysis and he’s got some interesting juice for making you think and then I saw Mike Rothman’s thoughts on the increasing irrelevance of PCI. Both are worth reading, and I highly recommend that you do so. Props to Mike and Alex for (as usual) getting something worth reading into the security blogosphere.

So, there’s been some speculation on the utility of PCI and whether or not it continues to have any in light of the recent breaches. People are naturally wondering:

- If it’s useful to give an attacker a list of what protections a retailer is going to have in place as PCI does?
- Is PCI useful when all these supposedly-compliant organizations are getting broken into?
- Should there be an overhaul of the process in light of all the foolishness that’s been going on?

But I think there are a few points that bear mentioning related to the discussion. The first is that compliance != security. You can be compliant until you’re blue in the face, and that has no bearing on whether or not you’ll get attacked (successfully or not). So, just because somebody who was (allegedly) compliant gets hacked, doesn’t necessarily mean the process is broken. If the value is high enough, somebody will find a way to attack it, no matter what they are or aren’t compliant with. Just ask the military.

But the second point is whether they should have been given compliant status in the first place. In the case of Heartland, they had malware on a system that was passing around track data (at least according to the reports I’ve seen so far – maybe that’s off base.) Is it a problem that that system was asserted to be compliant by a QSA? I’m not sure it is…

First of all, no assessor can audit every aspect of a retailer. If they did, each assessment would cost bagillions of dollars every year. So, there’s sampling involved – and plenty of opportunity to slip through the cracks. Second, there’s varying degrees of skill and technical astutitude in the QSA population. Do some QSA’s suck? Yes, they do. Will some of them rubber stamp your dog as being “compliant”? Yes, they will. But that doesn’t mean the standard itself is flawed…

All in all, I think it’s a good thing. In my opinion, telling a retailer that they have to run an AV program doesn’t give away too much secret sauce to make attacking them any easier. It just a) gives them guidance that they should be doing it and b) sets a minimum bar for someone to hold them too.

Anyway, just my two cents.