Data Breaches Show PCI DSS Ineffective

A recent Ponemon survey (pci-dss-survey-key-findings-final4) found 71% of companies don't consider PCI as strategic, though 79% had experienced a breach.

By Danny Lieberman | Posted Dec 10, 2009
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn
A recent Ponemon survey (pci-dss-survey-key-findings-final4) found 71% of companies don't consider PCI as strategic, though 79% had experienced a breach.

Are these companies assuming that a data security breach is cheaper than the security?

How should we understand the Ponemon survey.  Is PCI DSS a failure in the eyes of US companies?

Let's put aside the technical weaknesses, political connotations and commercial aspects of the PCI DSS certification franchise for a second.

Consider two central principles of security – cost of damage and goodness of fit of countermeasures

a) The cost of a data security breach versus the cost of the security countermeasures IS a bona-fide business question.If the cost of PCI certification is going to be 1M for your business and your current Value at Risk is only 100k – then PCI certification is not only not strategic, it is a bad business decision.

b) Common sense says that your security countermeasures should fit your business not a third-party checklist designed by a committee and obsolete by the time it was published.

The fact the Ponemon study shows that 71% of businesses surveyed don't see PCI as strategic is an indication that 71% have this modicum of common sense.

The other 29% are either naive, ignorant or work for a security product vendor.

Common sense is a necessary but not sufficient condition If you want to satisfy the two principles you have to prove 2 hypotheses: Data loss is currently happening.

* What data types and volumes of data leave the network?
* Who is sending sensitive information out of the company?
* Where is the data going?
* What network protocols have the most events?
* What are the current violations of company AUP?

A cost effective solution exists that reduces risk to acceptable levels.

* What keeps you awake at night?
* Value of information assets on PCs, servers & mobile devices?
* What is the value at risk?
* Are security controls supporting the information behavior you want (sensitive assets stay inside, public assets flow freely, controlled assets flow quickly)
* How much do your current security controls cost?
* How do you compare with other companies in your industry?
* How would risk change if you added, modified or dropped security controls?

If PCI is a failure, it is  not because it doesn't prevent credit card theft; there is no such animal as a perfect set of countermeasures.

PCI is a failure because it does not force a business to use it's common sense and ask these practical, common-sense business questions.

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter