PCI Smackdown
March 23rd, 2007 Posted in Conferences
I just finished the PCI Training Days, a two day training class on PCI for merchants and service providers. We had people travel to San Francisco from as far away as the UK and Malta! I was very impressed at the quality and number of people.
The two day class involved Bill Cook, a lawyer who fielded the liability questions, and Alex Bakman, from ECORA. We also had an acquiring bank drop in to share their experiences and some behind-the-scenes stories about PCI programs.
The feedback forms were all positive, and the participants were really engaged. I thought for sure people would be shy about sharing details about their company, but one merchant even discussed details of their experience going through a compromise.
So, I had a beer and then some dinner, and had to come home to this. I cannot begin to tell you how entirely wrong Mark is. He takes every possible thing dealing with the industry, no matter how tangential, and twist it into a Quentin Tarantino storyline.
In my class, I teach people the reason for each of the requirements, why the industry is the way it is, and who are the players are so they can better interact with them. In this blog, you will find responses and reasons for many of the issues Mark and others raise. When you don’t understand how the industry and the standard work, it’s easy to attack the negative aspects of them. Well, it looks like I will have to teach many more classes because not enough people understand the industry or PCI. I don’t mind a little job security.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
3 Responses to “PCI Smackdown”
By Alex on Mar 26, 2007
“When you don’t understand how the industry and the standard work, it’s easy to attack the negative aspects of them.”
I’m sorry, but that’s just downright insulting. I think Mark Curphey knows how the “industry” works. As for the standard? It’s right out there available for anyone to see, and PCI representatives are there to give us all the ambiguous answers we need.
I’ll say it again. The PCI standard (and others like it) are a form of Paternalism. They’re fine if you’re a complete idiot and can’t get your act together. But if you know what you’re doing - the PCI standard is unnecessary bureaucracy.
By datasecurity on Mar 26, 2007
Alex,
I stand by the comments of not understanding PCI DSS. I think you and I agree but in different ways. For example, I too agree that PCI is not necessary for people who “know what you’re doing”. The thing is that most people do not have their act together from a data security perspective. You can see this from the number of compromises in the payment industry.
My comments were not targeted at insulting Mark; I’m sure he is a very smart security professional. What I challenge is people who claim to understand PCI DSS and how it works when they do not. It’s much like looking at the exterior of an airplane and saying what a bad design it is without having and understanding of the engineering behind it.
I may go too far in defending PCI DSS, this I admit. But PCI is a standard that is here to stay and the way to change it for the better, the way to improve it, is not to complain about the short comings. It is to suggest improvements.
Many of the comments Mark made have sound security basis when posed in the right light. What I disagree with is how they are implemented and interpreted. The one thing I think is very lacking with PCI has nothing to do with the standard but with the level of educational information that surrounds it.
In reality I think that, given a chance to discuss PCI, Mark and I would eventually agree on many of the same points. The difference is the perspective we would take. For example, comparing “code review” with “application firewall”. It sounds like a bad comparison until you understand WHY they were put there. We can both debate either sides of the wording and if it is good, these are our differences, but there are reasons for each of the requirements that map directly to the industry.