During the past year, there have been several high-profile companies that have suffered data breaches who were also "compliant" with the PCI standard. As a result, the PCI standard received a lot of criticism saying that it is ineffective. I strongly disagree with this view. The issue is that PCI requirements should be viewed as a bare minimum standard and not considered ironclad security. Here are some of the technical limitations of PCI.
- For small companies, PCI validation requires a passing vulnerability scan once a quarter. Every quarter, thousands of new vulnerabilities are published. Relying on the results of a passing vulnerability scan performed once every three months can provide a false sense of security.
- Commercial PCI scanning services that look for vulnerabilities that affect PCI compliance do not test for all security issues. Typically, these services only perform network-based vulnerability scanning and don't perform credentialed patch auditing, security testing of client software such as browsers or configuration tests such as password complexity testing.
- Finally, for large organizations that need to submit to an audit by a QSA, having an external auditor confirm that you are running an anti-virus solution, have a working firewall solution, track your users closely and so on STILL does not mean you won't have security problems.
For example, your systems may all be running the latest anti-virus solution but there is still a very good chance that a new mutated virus could not be detected and end up infecting systems which hold cardholder data.
A messages to any CEOs reading this: just because your organization can prove compliance does not mean your organization does not have security issues that could result in a data loss.
Most critics of PCI take these limitations as a call to further enhance the security requirements of PCI. I strongly disagree. PCI does not need to be more restrictive. It must be flexible enough to meet not only the goals of PCI but also those of the business. If you make security part of your business goals, complying with PCI requirements is easy and the likelihood of a data loss reduced.
Don’t necessarily blame PCI for a weak security program.