In a recent blog post Rich Mogull touched an exposed nerve with respect to the much discussed PCI-DSS standard. The post is Rich's reaction to an interview given by Heartland's CEO, Robert Carr, to CSOonline. Carr was trying to shift the blame on the much publicized Heartland data breach to their PCI assessors and to the PCI council itself. Rich dismissed Carr's claims with respect to the assessors but raised the point about differentiating PCI compliance and actual security.

This debate coincidentally occurs in proximity to the recent Network Solutions breach, in which Network Solutions claims to have been PCI-DSS compliant.

Both events (and some others) raise the question of whether PCI-DSS compliant systems are indeed secure? Is there a problem with the standard or was there a specific problem with the quality of the audit?

I think that much like any regulation or standard, PCI is here to set a measurable baseline for systems. To that extent I think that PCI is doing much better job than other regulations (e.g. SoX, HIPAA, GLBA or on the other extreme, the California Privacy Act). PCI is mostly straightforward and explicit about protected data items, security requirements and even technologies. It requires both the use of specific technical measures as well as the existence of organizational policies and the need for period internal (and external) reviews.

I do have a problem with some of the choices allowed by the PCI standard (e.g. section 6.6 providing a choice between vulnerability assessment and the use of web application firewall - but then again, I work for a WAF vendor :)). I have a problem with some of the lenient assessment frequencies required by the standard (annually for some and quarterly for others). Finally I think that some certification pieces are still missing from the PCI framework (no certification program from web application firewalls). These can (and I believe will) be eventually solved through the work of the PCI Council.

A different problem relates to the fact that compliance is measured by an audit at a singular point in time. If taken to the extreme, an organization may update their anti-virus signature file only the day before a PCI audit and never again for the next year. Information is at risk though continuously (what a shame). It is the assumption that if an organization puts up a given policy this policy is enforced and maintained all year around rather than around audit time.

And last but not least, there is indeed the issue of quality. Quality of the security solutions deployed by the organization, quality of the deployment and quality of the audit process (which is almost always derived by the amount of funds and the time frame allocated to it by the audited organization).

Any breach that is attributed to the two later issues is of course the sole responsibility of the organization. A breach attributed to the first set of issues (PCI standard related) can usually be attributed to a specific choice made by the organization.

To sum up, I think that PCI-DSS can be a positive driver for data security. It will have this effect for organizations who make the right implementation choices, insist on the quality of solutions and assessors and finally track their deployments continuously rather than discretely when audit time comes.

- Amichai