Wednesday, October 29, 2014

OPINION: PCI-DSS Pretty Much Useless...

Merchants must meet more than 400 requirements, like installing firewalls, updating antivirus software, and ensuring that credit card readers haven't been tampered with. 

We hate to break it to you but having a firewall, antivirus and checking your credit card readers for tampering will not protect you from a data breach. We were reading an article on PCI-DSS and nearly choked

It looks to us like anybody can pass one of these retailers audits. They better be thankful it's not us doing the audits or these folks would be in trouble.

The news item we were reading is here.

This is exactly why the industry will continue to get hacked and breached frequently. The people making the rules don't understand real security, and the rules and regulations don't address real issues.

The audits are conducted only once a year, so they may not provide a full picture of a retailer’s security.

That's true. Security administrators make changes nearly every day, or at least they should. Without safeguards in place they can change items that would make them non-compliant and if they are not audited for a full year that's a great big open invitation for problems.

“To most security guys, it’s just a box you check to protect the CEO. It’s not real security.”

Yeah we agree with that statement. That is why we fail 80-90% of all first time audit clients. The difference is we see the work through until we are confident that they have real security in place and we assist our client's in securing their network, not just giving them the findings and suggestions. Most clients we deal with need assistance and assurance to ensure that the changes made are effective.

It's a sad state in the security world. There are companies that do it write but unfortunately there are many that fail at security as well.

No comments:

Post a Comment