I was somewhat surprised to read this post from RSnake about how good PCI is for business. I have to disagree with him. While I agree that PCI sometimes sets a floor for a minimum is also sets a ceiling for a vast majority of organizations.
PCI compliance has become the must have for any organization that deals in credit card data. I do think it is admirably that they are trying to shape things up but the process is doomed to fail because of the glacial pace at which it moves. I meet with some of the early PCI people in 2000 and told them they need to include Web Application Security in the standard. They are stared at me like deers in the headlights. They had no idea what I was talking about. Now 7 years later they have some very half hearted and non-specific language in the standard about protecting and assessing your web application. Look at the requirements for network scanning, quarterly!?!? Are you kidding me! It is OK to have a huge gapping hole for 3 months?
So here is the rub . Organizations are spending most if not all of there security budget to become PCI compliant and that leaves practically nothing left over to secure the things that are not covered. Large organizations will have the budget to go above and beyond the standard but the SME market will struggle to just meet the standard that forces them to implement practices that may or may not make them more secure, often at a significant cost. Leaving them exposed in other areas not covered in the standard.
If you enjoyed this post, make sure you subscribe to my RSS feed!
