In a recent eWeek.com article by Evan Schuman, Paypal CISO Michael Barrett shared the following thoughts regarding the PCI Data Security Standard:
- “it’s both too specific and too vague. It needs to be specific about what needs to be done, but not specific as to how it needs to be done.”
- Compensating controls are “a painful exercise and you have to go through it every year” and endure “a very long discussion with the auditors about whether or not you have the series of controls.”
- “It really does describe an everyman kind of security program. As a consequence, you really ought to be able to pass.”
- “What I have no sympathy for” are retailers who say that PCI is worthless and who therefore don’t even try.
As Schuman points out earlier in his article, considering the diverse makeup of those processing credit card information and that the PCI DSS was "formed by committee", it has done a good job as a catalyst for improvements in cardholder data security.
Barrett's statements make it clear that improvements are still needed, particularly in the area of compensating controls.
Contributed by Mark Tordoff
Comments