For my first real post of 2016, let’s deconstruct a quote from an article published by eWeek about PCI DSS and 2016. The quote in question is from Jeremy King, International Director for the Council.

“The PCI DSS is a mature standard that has proven highly effective wherever it is adopted and used.”

Spoon, by felixtsao

Spoon, by felixtsao

The rest of the quotes fall along the messaging guidelines that you hear from the Council (although this appears to be more of a pitch related to the logging SIG), but this one stuck out for me. It reads like something that wants to be true versus something that actually is true. In the Council’s defense, they will readily cite that no fully PCI DSS compliant merchant has ever been breached. But here are a few things we should consider about this quote:

  • How is PCI DSS proven to be highly effective? Usually when you see words derived from the root “proof,” there is an implication that you can see evidence of the claim. The lack of evidence can be an indicator, but it is not evidence in and of itself. What proof do we have that it is highly effective wherever it is adopted and used?
  • The phrase “highly effective” requires context. What determines the outcome of being highly effective—the absence of a publicized breach? In order to really understand this, we need to understand the goals of the standard. Is it to save firms from payment card breaches? Varied interpretations of the standard sort of imply that there could be thousands of fractures of the standard, all reviewed under the guise of a risk-based approach. Given that, and the pretty tough year that retailers had in 2014, I’m not sure we can use the phrase “highly effective.”
  • Absolutes are tricky. The phrase “wherever it is adopted and used” smells of absolutes, which are hard to prove even with evidence in such a short time frame (just over eleven years). This is especially tricky with expansive standards that cover digital items—some of which only exist for a few minutes before being destroyed. When uL certifies that a device accepts and reacts to A/C power correctly, there is visible evidence to prove it. Sometimes that evidence is harder to come by in the digital world. I bet there is at least one place on this planet that would challenge this absolute.

Firms that handle payment card data have to move away from the thought process that PCI DSS compliance is an endgame to their security strategy or is even a factor in keeping bad guys away. The items in PCI DSS are generally pulled from standard security practices—many of which have existed for much longer than the standard has and are built into many of the products involved in the ecosystem. We should question claims that are this bold and broad.

This post originally appeared on