The criticism that I have had with the standard is that many items in PCI-DSS are vague. For example MSRs (magnetic strip readers) are not even mentioned in the PCI-DSS standards yet they are widely used thoughout the industry. Are MSRs a simple extention of the keybaord or are they considered PEDs (Pin Entry Devices) in PCI-DSS? No distinction has been made or defined.

There are many "vague items" like this that need clarification BEFORE an organization gets dinged for not being compliant.

From reading this article I learned that if I don't think PCI is a great security standard I obviously don't understand security. When I got up this morning I didn't know I would read something from such elevated beings! Thank you for correcting my ignorance.

Though I agree with everything that you said, I think you are still missing one critical point when it comes to the PCI standard, banks and our governments can and should do more.

Banks should assume that a payment card number and expiration date and mutlti-use-everywhere cvv is stolen, along with all of the other personal identity info that could be taken.

Banks should take steps to mitigate the risk such as require single-use pin info for every transaction.

Governments should mandate such steps for everyone so that the first bank and first vendor to implement is not hit by ill-informed customers taking their business to other organizations because they don't like the extra hassle.

There are plenty of other steps that could be taken. Though no single step is bullet-proof, overall security would improve.

It is very difficult to get executive buy-in when your merchant banks are telling you, you are level four and you are compliant. Hell, they don't know what they're talking about. We have security, we know security, we know risk assessment. But traditionally, Information Services NEVER had anything to do with the implementation of credit card readers, connections, applications, etc. We have no idea where all of this exists in our organization. And when we try to find out from the Finance department who managed device deployment, we get no accountability from them. We've attempted surveys with our management team, but probably didn't even get 30% response. We have a great security program, constantly maturing. We can address alot in our healthcare environment with regard to the protection of PHI (protected health information) and HCBI (health care business information ) EXCEPT when it comes to credit cardholder data.

*** The comments posted here are purely those of the author and not necessarily those of the organization he represents, for which you now have our email domain address! I trust that you say the email address will be kept private.

I don't get that anyone is saying that PCI DSS doesn't have some value. Yes, while it does have the benefit of being a regulatory influence on commercial agents who otherwise wouldn't bother with any security, there are clearly those of us security practitioners who believe it could be better (as a standard). I mean, why squander the perfectly good opportunity to wield a big stick (regulation) with marginally effective minimum standards?

This isn't about getting management buy-in, or being grateful that some regulation somewhere is making many of these firms that would otherwise do nothing, do something. If anyone needs to be thrown under the bus, it's the Simon LaGrees of the corporate world who think they can get a free lunch from PCI DSS regulations.

As before, in the final analysis, it *is* the data owner who holds the ultimate responsibility for the security of their infrastructure and data which depends upon it. So nobody is throwing qualified QSAs under any bus.

Unfortunately, it is also my professional opinion that you're defending a self-serving process that gives the regulated members of PCI industry a largely false sense of accomplishment based on technology standards that could easily be more effective, and on QSA conduct standards that permit agents of our industry to simply 'look the other way' because it's apparently 'not their job' to provide full disclosure beyond the scope of the assessment (again, which only a qualified and trained security pro can do). And that's because there's no clear delineation as to who's best interest is actually to be served.

IMO, PCI DSS compliance shouldn't be intended as a corporate veil to fend off litigation for professional malfeasance. It's SOLE mission should be to protect those whose PII represents the true value in their organization, and THAT should be the only interest of the assessors and the regulations that created their field. If the standards don't make that crystal clear, then fix em'.

Like I said, plenty of blame to go around.