Don't throw out the baby with the bath water
In the wake of the Heartland fiasco it is becoming fashionable to lay the blame for this mess at the feet of the PCI Council. Almost as if the PCI folks were the ones who planted the malware on Heartland’s computers and stole the credit card info. Mike Rothman questions “The Increasing Irrelevance of PCI” and Steve Ragan over at the Tech Herald asks “Does the Heartland breach prove PCI useless”. I say don’t throw out the baby with the bath water. Lets not confuse the good work that the PCI regs have done across the board, with the sophisticated methods of cybercriminals. As I wrote last week, lets not confuse compliance with security!
For the majority of merchants who accept credit cards the PCI regs have led to the adoption of security measures that many of them never had before. Anyone who doubts that, does not have the facts on their side. Yes, many of these merchants have adopted measure solely to pass an audit and check the box, but that is still more than they had. Expecting these merchants to get serious about security and do more than the minimum that the standards mandate is a pipe dream. The PCI standards are not supposed to be some super-hero like shield of invincibility. They are just a set of minimal steps that merchants and those with sensitive information should take to protect that data. They were never meant to be the be all and end all in the matter of security.
All of the above not withstanding, I do think the PCI council needs to adopt a higher standard for companies like Heartland and Cardservices that process credit card transactions. The sheer numbers of information they process put them in a different class. I think for this class the PCI folks should put some constant monitoring of security practices in place. A yearly audit is not enough. I also think that larger merchants need not only more often monitoring but a higher level of security.
But folks, don’t throw the baby out with the bath water. Give the PCI council time to adjust and learn from this episode. Those who condemn them for not anticipating this type of attack are not without sin themselves. Who among us in the security industry have been able to stop the bad guys dead in their tracks every time? Lets not hold the PCI regulations up to an impossible and artificial standard, that no one can live up to.
Related articles by Zemanta
- Security is not the same as compliance
- May Have A New Winner In The Largest Security Breach Ever Department
- Huge Security Breach at Heartland Payment Credit Card System
- 100 Million Credit Cards Stolen in Largest Cyber Crime Ever
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=2c418987-1d66-48e5-8d12-d2b92ac6a279)
Comments