Tuesday, September 1, 2009

Bob Russo Comments on PCI and Recent Breaches

The recent breaches and indictments have generated a lot of comments about PCI, many of them unfavorable. On one side are those that say they were "certified" as PCI compliant, but got breached anyway; therefore PCI is worthless. On the other side are those who point out that the breached organizations were not PCI compliant at the time of the breach. They then go on to note that no organization has been breached that was PCI compliant, and that while it is not perfect PCI is still a pretty good standard for protecting data.

A post at the Securosis Blog raises many of these questions. Bob Russo's response follows it. Both are thoughtful pieces with good arguments. I recommend them to you together with the links to the original editorial/article and Bob's response to it.

My own position is that PCI is the best we have. It is a baseline and not a complete security program. PCI can keep you out of the headlines if properly implemented. But compliance is a two-way street: the issues of QSA shopping are real. There are no silver bullets. The answer is to minimize your scope, eliminate cardholder data wherever and whenever you can, and remain vigilant.

Remember, it's time to be careful.

No comments:

Post a Comment