PCI and Global
There has been a lot of discussions and analyzing going on after the confirmed breach on Global Payments and them "exporting" something less than 1.5M credit card records. I have no insider information and have only read Brian Krebs' and Alan Shimmel's blogs and I agree to a point with their thoughts. The credit card brands are pigs in a way. They do their damnest to push all the blame to banks and merchants, not to mention the cost and risk. The brands are just raking in the money and all with good profit and (almost) no risk. Yes, it's not all black and white, but this is basically what it looks like.
On the other hand I do not agree on compliancy and why the PCI-DSS is there in the first place. First on, you are only compliant at the moment you get the approval stamp from the QSA. True. Secondly, you are de facto not compliant if your systems are breached. False. You can be compliant if you are breached, but the result of the breach might make you non-compliant. But there is nothing as far I can see that says you have to be fully protected against zero-day exploits, only that you need to log events in a secure way. And surely the breaches are being logged if you're compliant. So you're compliant even if the breach happens.
And last, and this has been my standpoint from the start, PCI-DSS might be seen as a regulatory compliance turbo XYZ and whatnot, but it has more to it. It has common sense built-in. If the PCI-DSS is looked on as a common sense handbook in implementing a security baseline in your environment it is indeed a good manual. If you comply to the rules and settings in that guideline you have a pretty good defense against common day intrusions and break-ins. I am not saying you're home free, but you have a solid ground building your environment components on. Of course if you have highly sensitive data to protect you need more on top of those guidelines and that comes with an even higher price tag.
It's bad to lose sensitive data, but it's even worse to not protect it, even on a basic level, such as the PCI-DSS.
On the other hand I do not agree on compliancy and why the PCI-DSS is there in the first place. First on, you are only compliant at the moment you get the approval stamp from the QSA. True. Secondly, you are de facto not compliant if your systems are breached. False. You can be compliant if you are breached, but the result of the breach might make you non-compliant. But there is nothing as far I can see that says you have to be fully protected against zero-day exploits, only that you need to log events in a secure way. And surely the breaches are being logged if you're compliant. So you're compliant even if the breach happens.
And last, and this has been my standpoint from the start, PCI-DSS might be seen as a regulatory compliance turbo XYZ and whatnot, but it has more to it. It has common sense built-in. If the PCI-DSS is looked on as a common sense handbook in implementing a security baseline in your environment it is indeed a good manual. If you comply to the rules and settings in that guideline you have a pretty good defense against common day intrusions and break-ins. I am not saying you're home free, but you have a solid ground building your environment components on. Of course if you have highly sensitive data to protect you need more on top of those guidelines and that comes with an even higher price tag.
It's bad to lose sensitive data, but it's even worse to not protect it, even on a basic level, such as the PCI-DSS.
Comments
Post a Comment