×
We have made updates to our Privacy Policy to reflect the implementation of the General Data Protection Regulation.
Data Breaches Show PCI DSS Ineffective
 

Data Breaches Show PCI DSS Ineffective

Thursday Dec 10th 2009 by Danny Lieberman

A recent Ponemon survey (pci-dss-survey-key-findings-final4) found 71% of companies don't consider PCI as strategic, though 79% had experienced a breach.

A recent Ponemon survey (pci-dss-survey-key-findings-final4) found 71% of companies don't consider PCI as strategic, though 79% had experienced a breach.

Are these companies assuming that a data security breach is cheaper than the security?

How should we understand the Ponemon survey.  Is PCI DSS a failure in the eyes of US companies?

Let's put aside the technical weaknesses, political connotations and commercial aspects of the PCI DSS certification franchise for a second.

Consider two central principles of security – cost of damage and goodness of fit of countermeasures

a) The cost of a data security breach versus the cost of the security countermeasures IS a bona-fide business question.If the cost of PCI certification is going to be 1M for your business and your current Value at Risk is only 100k – then PCI certification is not only not strategic, it is a bad business decision.

b) Common sense says that your security countermeasures should fit your business not a third-party checklist designed by a committee and obsolete by the time it was published.

The fact the Ponemon study shows that 71% of businesses surveyed don't see PCI as strategic is an indication that 71% have this modicum of common sense.

The other 29% are either naive, ignorant or work for a security product vendor.

Common sense is a necessary but not sufficient condition If you want to satisfy the two principles you have to prove 2 hypotheses: Data loss is currently happening.

* What data types and volumes of data leave the network?
* Who is sending sensitive information out of the company?
* Where is the data going?
* What network protocols have the most events?
* What are the current violations of company AUP?

A cost effective solution exists that reduces risk to acceptable levels.

* What keeps you awake at night?
* Value of information assets on PCs, servers & mobile devices?
* What is the value at risk?
* Are security controls supporting the information behavior you want (sensitive assets stay inside, public assets flow freely, controlled assets flow quickly)
* How much do your current security controls cost?
* How do you compare with other companies in your industry?
* How would risk change if you added, modified or dropped security controls?

If PCI is a failure, it is  not because it doesn't prevent credit card theft; there is no such animal as a perfect set of countermeasures.

PCI is a failure because it does not force a business to use it's common sense and ask these practical, common-sense business questions.

Home
Mobile Site | Full Site
Copyright 2018 © QuinStreet Inc. All Rights Reserved