Ahh, the haters. Everyone that deals with PCI on a regular basis knows one. Sometimes they take the form of a guy that doesn’t want to actually do his job, or an armchair security gal, or your nemesis that uses his industry position to irresponsibly spread false propaganda, or true security experts that point out serious concerns or flaws with the standard. As security professionals, we key stakeholders (including QSAs, ASVs, payment brands, and the framers of the standard itself) need to listen to the last group intently to ensure that we understand the risks as it pertains to the changing threat landscape, making adjustments where appropriate to protect the data entrusted to us.
PCI haters are valuable people. By and large, the majority of the individuals (normally falling into the first three categories above) hating on PCI are doing so out of a fundamental misunderstanding of the standard, or an attempt to apply it to a larger area than it was intended.
For example, if you take PCI-DSS and make it your security TOPline (meaning the best you will ever achieve security-wise), you will be missing key sensitive data elements in your security program, potentially leave gaping holes for hackers to hurl their bits through. Or maybe on the fundamental misunderstanding side, like if you still think that the payment brands force merchants to store cardholder data.
“If you think that the payment brands force merchants to store cardholder data, you might be a PCI haytah.” If that was as painful for you to read as it was for me to write, I win.
The amount of misinformation about PCI is about as enormous and incredible as the number of people that spread it. So why should we love people like this?
For one simple reason, people are TALKING!
Sometimes these folks cannot be reasoned with because their minds are closed. Getting help in Security is like getting help with addiction. Step 1, admit you have a problem. For those folks that do not want to change, you are wasting your breath. They have to walk off the cliff on their own before they will listen. They may outwardly say, “Don’t tell me how to do my job!” What we really hear is, “Don’t tell me how to do my job, I can run this thing into the ground just fine on my own.”
But for those that have open minds, it’s amazing what a little dialogue will do to further both your cause and theirs. I recently had a discussion with someone who complained about password complexity requirements. They believed that all of these controls were too prescriptive. When I showed him how easy it was to break his six character password, and an easy way for him to keep his six character password, but add a second layer of authentication with a token and exponentially increasing the strength of his authentication system, he promptly began to open dialogues with his management to roll the technology out to all key users.
For his business, this made sense. It’s not for everyone, but you will never know unless you open a dialogue.
So go find a big PCI hater that you know and engage her. Many of the haters have useful points and need to be understood. If your hater is more of the closed-minded zealot variety, smile, nod, and get to know his boss. She might be calling you one day.
Possibly Related Posts:
- PCI DSS 4.0 Released plus BOOK DETAILS!
- PCI Council Loses $600K in Revenue, PO Population on the Decline
- Why PCI DSS 4.0 Needs to be a Complete Rewrite
- Orfei Steps Down
- Should you be a PCI Participating Organization?