I just finished reading a TechTarget editorial by Bob Russo, the General Manager of the PCI Council where he responded to an article by Eric Ogren Believe it or not, I don’t intend this to be some sort of snarky anti-PCI post. I’m happy to see Mr. Russo responding directly to open criticism, and I’m hoping he will see this post and maybe we can also get a response.
I admit I’ve been highly critical of PCI in my past, but I now take the position that it is an overall positive development for the state of security. That said, I still consider it to be deeply flawed, and when it comes to payments it can never materially improve the security of a highly insecure transaction system (plain text data and magnetic stripe cards). In other words, as much as PCI is painful, flawed, and ineffective, it has also done more to improve security than any other regulation or industry initiative in the past 10 years. Yes, it’s sometimes a distraction; and the checklist mentality reduces security in some environments, but overall I see it as a net positive.
Mr. Russo states:
It has always been the PCI Security Standards Council’s assertion that everyone in the payment chain, from (point-of-sale) POS manufacturers to e-shopping cart vendors, merchants to financial institutions, should play a role to keep payment information secure. There are many links in this chain – and each link must do their part to remain strong.
and
However, we will only be able to improve the security of the overall payment environment if we work together, globally. It is only by working together that we can combat data compromise and escape the blame game that is perpetuated post breach.
I agree completely with those statements, which leads to my questions.
- In your list of the payment chain you do not include the card companies. Don’t they also have responsibility for securing payment information and don’t they technically have the power to implement the most effective changes by improving the technical foundation of transactions?
- You have said in the past that no PCI compliant company has ever been breached. Since many of those organizations were certified as compliant, that appears to be either a false statement, or an indicator of a very flawed certification process. Do you feel the PCI process itself needs to be improved?
- Following up on question 2, if so, how does the PCI Council plan on improving the process to prevent compliant companies from being breached?
- Following up (again) on question 2, does this mean you feel that a PCI compliant company should be immune from security breaches? Is this really an achievable goal?
- One of the criticisms of PCI is that there seems to be a lack of accountability in the certification process. Do you plan on taking more effective actions to discipline or drop QSAs and ASVs that were negligent in their certification of non-compliant companies?
- Is the PCI Council considering controls to prevent “QSA shopping” where companies bounce around to find a QSA that is more lenient?
- QSAs can currently offer security services to clients that directly affect compliance. This is seen as a conflict of interest in all other major audit processes, such as financial audits. Will the PCI Council consider replacing restrictions on these conflict of interest situations?
- Do you believe we will ever reach a state where a company that was certified as compliant is later breached, and the PCI Council will be willing to publicly back that company and uphold their certification? (I realize this relates again to question 2).
I know you may not be able to answer all of these, but I’ve tried to keep the questions fair and relevant to the PCI process without devolving into the blame game.
Thank you,
Reader interactions
4 Replies to “Some Follow-Up Questions for Bob Russo, General Manager of the PCI Council”
LonerVamp,
Thanks for taking the time to share your perspective. We both agree that there needs to be continued emphasis of the PCI DSS as a foundation for a strategy that focuses on security, rather than compliance; and you are also right that despite us advocating this, it often isn
Wow, how’d I miss this gem of a post? I’m slacking off!
“I can
Thanks Bob- I really appreciate your willingness to hop over here and respond.
While you didn’t cover everything, I think this is still very informative. It’s clear now, per your statement, that your mandate is somewhat limited and any discussions of changing the payment system are beyond the charter of the PCI Council. (That’s not a criticism, nothing you can do about it).
I realize I might be a bit of an armchair quarterback, but I try to be a constructive one (and I’ve been advising clients on these issues since before PCI existed).
I’m still concerned with some of the process-oriented issues involved in certification. The fact that most of the big breaches involved organizations that were certified, yet non-compliant, is concerning. I’ve made some suggestions in the past on possible ways to address this that aren’t overly burdensome on companies, which might make good fodder if we ever do meet up at an event.
I’ll fight my normal nature and keep this concise- thanks for the response, and I look forward to having a full discussion down the road… we have plenty of beer here at Securosis Central, a much better selection than the White House.
Hi Rich,
Thanks for taking the time to review my post on Search Security, and for giving the issue of payment security a lot of thought. You seem to address the issue pragmatically, which is exactly what is called for when trying to raise the awareness of PCI standards and the security of organizations globally.
I wanted to take some time to respond to your open letter, and provide you additional clarity to a few of your questions. Before I address your letter, I