Site Sponsor:

mcafee_logo.gif
line

Now Available:

Featured Resource:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Dan or post a comment to the blog.

« CT Governor Has No Intention of Becoming A Data Breach Poster Child | Main | Copyright Laws Should Be Updated But Spare Us the Entitlement Argument »

Does PCI DSS Really Matter?

eWeek's Security Experts: Merchants Racing to the Bottom for PCI Certs exposes some of the dark side of security certifications. Quoting Jeremiah Grossman, chief technology officer of WhiteHat Security, the article says:

"I work with security guys as customers," he said. "They're all for fixing [vulnerabilities]. But there isn't any legal [compulsion to do so]. For the most part, [merchants] are looking for the cheapest, lowest-quality provider. There [are] no repercussions" for a security assessor who looks the other way from vulnerabilities a more careful assessor would catch, he said.

The security guys are trying to keep the merchants from long term loss but the merchants are too fixated on short term costs. So is PCI DSS worth the paper it's written on?

I'd say yes. I don't question Grossman's concerns, they are real. PCI DSS, or some other regulation, needs more teeth, but at least these merchants are calling in WhiteHat Security and other approved scanning vendors (AVS). Would these merchants who are more concerned with thin margins in retail markets than credit card security take it upon themselves to spend more on security? The merchants concerned with protecting brand value would but I doubt small and midsized merchants would be so ready to spend on information security. I'd bet they could rationalize spending on physical security to protect inventory, but our credit card data is another story.

I think Rich Mogull of Securosis makes an important point late in the eWeek article:

Give credit where it's due, at any rate: PCI is improving security, warts and all. "It is at least forcing companies to take another look at security," Mogull said. "I may complain about PCI but if they have to pass it to improve security it's good for consumers. And shareholders, and business."

The current version of PCI DSS is a start. The next version should clarify vague areas and specify responsibilities for fixing vulnerabilities and consequences for failure to do so.

Tags:          
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Dan Sullivan on October 11, 2007 9:00 AM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-websecurity.com/type/mt-tb.cgi/474

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Latest White Papers

line

Blog Roll

line

Dan Sullivan's Bio:

Dan Sullivan is a systems architect with 20 years of IT experience that includes engagements in enterprise security, application design, and systems architecture. His experience includes a broad range of industries, including financial services, manufacturing, government, retail, gas and oil production, power generation, and education. Dan’s security-related project work has ranged from requirements analysis for enterprise information security to designing and implementing security for database applications and enterprise portals. Dan has written about information security and other enterprise information management topics for Business Security Advisor, DM Review, Intelligent Enterprise, and E-Business Advisor. You can contact Dan at: dan_sullivan@realtimepublishers.net