Time to take a step back and look at PCI. We all know and love it, or love to hate it for various reasons, but I’d like to go back to the roots of it all and ask one question, “What is PCI for?” The simple answer that I can get on board the most with is that it’s to promote spending by increasing consumer confidence. So the obvious goal is to reduce account take-overs, and information disclosure wherever possible - not necessarily to eliminate it, but to increase buyer confidence by lowering the statistical probability that they will be compromised by purchasing online.
I’ve always been an advocate of increasing the potency of PCI by making it more stringent for which I have been told I am anti-business. Not exactly. Let’s use an example. Let’s say I’m mega huge company-A and I follow every security restriction on the planet that I can to ensure that data isn’t leaving our site, but meanwhile mega huge company-B is doing nothing, or the bare minimum. Since we will most likely share a great deal of users if we have any amount of web presence company-A is now at the mercy of company-B. Users tend to use the same passwords, answer the same answer to secret questions and so on, so once a user on company-B is compromised, they are also compromised on company-A. Same exploit another day.
I remember a long time ago there was one of those giant worms going around where the solution was easy enough - egress filtering. You couldn’t stop it ingress, but if you and everyone else blocked egress the worm would stop spreading. But how as an IT administrator can I tell my management that we need to do egress filtering, which will do little to nothing for the worm as it stands at the moment, but will stop us from infecting other people? It’s a tough sell. Yet, it’s a similar problem. My security directly impacts a lot of people who read this site, whether they want it to or not, and therefore it also impacts their businesses and their personal lives which bleed onto many other sites. If I were to have a major 0-day exploit on this site, it would be a problem, not just for me, but for everyone who visits the site who would be vulnerable, and any sites they then use.
So PCI, while not an easy sell and even tougher for people who lack a sense of altruism, has the potential of solving a lot of problems with an amendment of more stringent requirements. Yes, it’s tough on companies now, and yes, they will often go to the low cost solutions as a result, but raising that bar actually has the potential to improve consumer confidence. That’s the theory anyway. Perhaps in practice we’ll find that the end result is that we’ll stop seeing small hacks and start seeing a lot more huge ones to make up the difference in any improvement in security since we all know we can’t be 100% perfect in security. It’s an interesting case study anyway.