You know, it’s kinda funny.  Everywhere I go, I see how polarizing PCI DSS is.  If you deal with PCI often, think about your interactions with others when discussing PCI.  This is a response you have probably never heard: “Well, that PCI thing is OH-KAY.  I’m not really thrilled one way or the other…”

More likely it was something like “That F&*@ing PCI DSS!  I hate it!” or “God bless those PCI DSS Overlords for giving me a stick to whip my company into shape!”  I tend to hear the former much more than the latter, but that demonstrates the wide difference in corporate cultures faced with PCI DSS.

Mouthing off, by db*photography

Mouthing off, by db*photography

Those of you screaming and complaining about PCI should stop for just a second.  Do you remember why you are so upset with it?  Is it like one of those big fights that you get into with your best friend, and three days later you can’t remember why you were fighting in the first place?  For some of you out there, maybe three years later?

Sure, PCI comes across as a big industry-wielded hammer.  And when the only tool you have is a hammer, everything looks like a nail.

I think the biggest complaint I’ve heard about PCI (and CISP/SDP before that) was someone at a merchant or service provider screaming “HOW DARE THEY TELL ME HOW TO RUN MY BUSINESS!”  Yes, screaming.  Not kidding about that part folks.

When used properly, PCI can be that “stick” (as opposed to the carrot—both being motivational tools) that we security professionals have been wishing for!  Using the carrot (instead of the stick) to push security along has been mildly successful in most companies.

The stick is much more effective.

As Visa learned with their Compliance Acceleration Program, if you can affect the business’s bottom line with a stick, it’s amazing how fast businesses will comply.  Without the stick, merchants and service providers suffer from “Analysis Paralysis.”  In this context, they will do everything they can to over-analyze a compliance gap without taking any action to actually close the gap, thus costing them significantly more in the long run.

I hate to say this, but most of the Analysis Paralysis is actually a defense mechanism.  “If I sit here an try to find a way out of fixing this gap, or I delay its decision long enough, maybe I will have gotten that promotion and it won’t be my problem anymore!”  Except, when the Reaper comes (that compliance deadline), Analysis Paralysis can bite employees hard.  Had they taken the energy they spent on delaying the inevitable and put it towards addressing it, the soft costs associated with the fix would be dramatically lower.

365ish: July 9, iBeeCortnee

365ish: July 9, iBeeCortnee

“OK, so enough with the rant Brando,” you are thinking right about now, “tell me what I’m “DYING” to hear.  Why is this good for me?!?”

PCI is good for retailers because retailers traditionally don’t think about information security when you talk to them about security.  They think about shrink and fraud prevention.  It’s just a different mindset.  But PCI DSS is NOT the scariest regulation or stick out there.  In fact, PCI DSS is pretty tame when you compare it to the state data breach laws most companies are governed by nowadays (many companies not realizing they have to do something about these laws).

PCI forces the issue with companies that have immature information security programs.  It calls information security to executive’s attention, and forces them to take a hard look at how they currently address it.  Every C-level executive I meet in the context of PCI and Information Security tells me “I don’t want to be THAT CFO/CIO/CEO with my picture on the Wall Street Journal because a big breach happened on my watch.”

Just like getting physically (or financially) fit, talking about change does nothing.  You have to feel the burn of change!  You have to EARN it.  Complying with PCI and other initiatives is painful, but if you do it right, you can make sure your efforts go the distance and ultimately improve your entire data security posture.

This post originally appeared on

Possibly Related Posts: