The Media Makes PCI Compliance “Best Defense”?

I have seen a lot of hype in my day, but this one is pretty much — not funny. Below is a link to a mainstream media trade magazine for the hospitality industry in which the claim that PCI compliance is the “best defense” hotels and the like can have against attackers and data theft.

Link: http://is.gd/cgoTz

Now, I agree that hospitality folks should be PCI complaint, since they meet the requirements by taking credit cards, but setting PCI DSS as the goal is horrible enough. Making PCI out to be the “best defense” is pretty ridiculous.

PCI DSS and other standards are called security BASELINES for a reason. That is, they are the base of a good security program. They are the MINIMUM set of practices deemed to be acceptable to protect information. However, there is, in most all cases, a severe gap between the minimum requirements for protecting data and what I would quantify as the “best defense”. There are so many gaps between PCI DSS as a baseline and “best defense” that it would take pages and pages to enumerate. As an initial stab, just consider these items from our 80/20 approach to infosec left out of PCI: Formalized risk assessment (unless you count the SAQ or the work of the QSA), data flow modeling for data other than credit card information, threat modeling, egress controls, awareness, incident response team formation and even skills gap/training for your security team.

My main problem with PCI is not the DSS itself, but how it is quickly becoming the goal for organizations instead of the starting line. When you set minimums and enforce them with a hammer, they quickly come to be viewed as the be-all, end-all of the process and the point at which the pain goes away so you can focus on other things. This is a very dangerous position, indeed. Partial security is very costly and, at least in my opinion, doing the minimum is pretty far away from being the “best defense”.