The Great PCI Debate from Shmoocon

Posted by:

admin 14 years, 9 months ago

I really enjoyed the PCI debate at Shmoocon, but probably because it was more circus than it should have been. (Here's another summary from Anton Chuvakin)  The pertinent points I came away with where:

• Prescriptive Security is not necessarily going to be secure.
• The brands need to fix it instead of making everyone else apply a band-aid.
• Many merchants are doing security for the first time, no longer storing payment information in plain text on PoS devices.
• It's like "No Child Left Behind" dragging the industry to the middle.
• PCI-DSS is bad because it is sucking investment away from other areas of security
  

I'll take these last two points on today. They were both from Josh Corman of 451 Group, who joined virtually via Skype (providing Shmooball protection, wise move).  Josh has access to way more data than I do, but I have some questions about the last point.  Many merchants and processors come to WiKID for two-factor authentication because their audit is about to occur or in fact is occurring.  For the most part, they do not have any two-factor authentication.  They have seen pricing from "market-leading" vendors and decided to look elsewhere.  So, my question is:  If some portion of the investment in information security technology is coming from new companies, then isn't that better?  Indeed, Forrester is predicting that Information Security spending to grow in 2010.  So, if more companies are spending more on information security, that's good.

The point Josh was really making, I think, is that research dollars are not being spent on other threats. Inside, engineers are doing audit work and installing WAFs.  I think this argument failed to hold water, though, because it is at best a temporary situation.  Once companies become PCI compliant and deploy the required technology, maintenance will be less costly. 

Additionally, just look at how (depressingly ;) competitive the two-factor authentication market is now.  Prices have come down significantly. This reduction should increase adoption of two-factor authentication, hopefully even where it is not required.  I suspect that similar price reductions are occurring in all the major PCI-related markets.  Prices will drop, companies will merge and stability will come with consolidation, with consolidation will come bored entrepreneurs who will then go start the next big thing.

Whether PCI is dragging every company into mediocrity, is of greater concern and it's why the PCI powers that be should seriously consider re-designing PCI to evolve rather than trying to manage it.

• Tags:
• Information Security,
• Security and Economics,
• Two Factor Authentication,
• pci

• ← SANS Institute Critical Controls
• More on PCI: The Costs of Credit Card Fraud →