What's wrong with the PCI security standard

Credit card security standard diverting spending from possibly better IT security investments and ignores the cloud, researcher says

LAS VEGAS -- The security standard used to protect credit cards isn't up to the task and upgrades that are planned for this fall do virtually nothing to improve it, a security expert told Interop attendees this week.

Not only that, the so called payment card industry data security standard (PCI DSS) is driving what businesses spend their security money on, which is not necessarily the same set of things they would do to best protect their assets, said Josh Corman, research director in the enterprise security practice of The 451 Group.

Tech debate: Who's responsible for credit card data security? 

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

LAS VEGAS -- The security standard used to protect credit cards isn't up to the task and upgrades that are planned for this fall do virtually nothing to improve it, a security expert told Interop attendees this week.

Not only that, the so called payment card industry data security standard (PCI DSS) is driving what businesses spend their security money on, which is not necessarily the same set of things they would do to best protect their assets, said Josh Corman, research director in the enterprise security practice of The 451 Group.

Tech debate: Who's responsible for credit card data security? 

One of the glaring shortcomings of PCI DSS is that it doesn't address cloud computing at all, leaving businesses interested in the cost savings promised by the cloud unable to use it in a way that complies. And the draft of the changes that go into effect this fall that Corman has seen don't address cloud, either, he said.

The problem is that with pinched budgets, CIOs and CISOs are forced to limit their security budgets. Since PCI DSS is mandatory for anyone handling credit card data, its requirements are being met, often at the expense of other measures, Corman said.

"PCI has created budgets where there were none," Corman said. A common belief is that IT security is recession proof, but PCI compliance has forced much of the spending that might have been cut otherwise. "It's probably more accurate to say compliance made [security] recession proof," he said.

PCI DSS may or may not do a good job of protecting credit card data, but it definitely doesn't do the best job of protecting all corporate assets based on their value to the corporation, Corman said. "PCI is not meant to protect [your business], it's meant to protect the data you have become responsible for," he said. "The [qualified security assessor] isn't protecting the herbs and spices for the colonel; he protects the credit cards."

The impression within the industry, though, is that PCI DSS is a standard that if applied to any business network will adequately secure it. And since PCI DSS is mandated for many businesses, it sets the bar – perhaps not a very high one – for adequate security, Corman said. Many security executives he talks to say much of their spending is driven by making sure the business can pass a PCI DSS security audit, not that the riskiest assets are protected. "We now fear the auditor more than the attacker. Is that a good thing?" Corman said.

The nature of threats is changing all the time with adversaries persisting and constantly trying new means of attack.

Meanwhile, PCI DSS is updated just every two years, which leaves it behind in fighting the latest innovations from attackers, Corman said.

He said some of the principles that buttress the standards don't stand up to analysis. For example, regular, prompt patching of operating systems and applications is touted as a key to data protection. But of 90 breaches that warranted incident responses in 2009, just six could have been prevented by more timely patching, according to a Verizon Business data breach report, he said.