The security standard used to protect credit cards isn't up to the task and upgrades that are planned for this fall do virtually nothing to improve it, a security expert told Interop attendees this week. Not only that, the so called payment card industry data security standard (PCI DSS) is driving what businesses spend their security money on, which is not necessarily the same set of things they would do to best protect their assets, said Josh Corman, research director in the enterprise security practice of The 451 Group.
One of the glaring shortcomings of PCI DSS is that it doesn't address cloud computing at all, leaving businesses interested in the cost savings promised by the cloud unable to use it in a way that complies. And the draft of the changes that go into effect this fall that Corman has seen don't address cloud, either, he said.
The problem is that with pinched budgets, CIOs and CISOs are forced to limit their security budgets. Since PCI DSS is mandatory for anyone handling credit card data, its requirements are being met, often at the expense of other measures, Corman said.
"PCI has created budgets where there were none," Corman said. A common belief is that IT security is recession proof, but PCI compliance has forced much of the spending that might have been cut otherwise. "It's probably more accurate to say compliance made [security] recession proof," he said.
PCI DSS may or may not do a good job of protecting credit card data, but it definitely doesn't do the best job of protecting all corporate assets based on their value to the corporation, Corman said. "PCI is not meant to protect [your business], it's meant to protect the data you have become responsible for," he said. "The [qualified security assessor] isn't protecting the herbs and spices for the colonel; he protects the credit cards."
The impression within the industry, though, is that PCI DSS is a standard that if applied to any business network will adequately secure it. And since PCI DSS is mandated for many businesses, it sets the bar – perhaps not a very high one – for adequate security, Corman said. Many security executives he talks to say much of their spending is driven by making sure the business can pass a PCI DSS security audit, not that the riskiest assets are protected. "We now fear the auditor more than the attacker. Is that a good thing?" Corman said.