In a nutshell, PCI-DSS is just not a solid security program. Here’s the real truth: it was basically made in order to keep the regulators of the government off of the backs of the payment card industry. Very little reduction to risk was actually thrown in.
In this article, we’ll be going over 7 reasonable arguments for the irrelevance of PCI-DSS, and why it shouldn’t be your baseline security posture as a Canadian.
Top 7 Reasons
- The payment card industry has been around for years. The tech is old, and things change quickly nowadays. What’s the point in spending your life’s savings on PCI compliance whenever so many new forms of payment exist nowadays as well?
- The QSA audits are complete jokes. None of these auditors were required to be experts in all 12 requirements of compliance, yet they were assessing your compliance in every single one of these areas. How much sense does that make?
- The PCI-DSS just doesn’t do justice in a bigger scheme of security. If compliance is all you’re pushing for, then you’re not placing as much importance on security as you should be. The PCI-DSS teaches you to be “compliant” instead of above and beyond.
- There is no form of governance in the PCI-DSS. It’s not mentioned once in the PCI-DSS. It’s hard to believe that you can properly run a risk assessment without governance.
- The PCI-DSS has a ridiculous aspect on “point-in-time.” Under the PCI-DSS, you could gain acceptance to compliance through evidence that is over 360 days old. It’s tough to stomach a security standard that would actually allow this.
- The controls in PCI-DSS are weak. There’s a total lack of systems management in the framing of the standard. Monitoring and logging are just too basic. There’s no way to adequately test for true security with the horrible control requirements for PCI-DSS. Not only that, but the SSC always mentions how the payment card industry provides a global standard that can’t be matched with its data security.
- There’s a lot of competition in the world of PCI. And there are billions of dollars in the industry. To reiterate the above statements, PCI-DSS shouldn’t be your baseline security. Yet all this money is fed through the QSA companies just to meet compliance of the standard, which isn’t much of a security protocol at all.
Don’t Let PCI-DSS Be Your Baseline Security
Compliance with PCI-DSS just isn’t enough. It’s barely a security measure at all. If you’re a Canadian and you’re reading this, you should focus on going above and beyond the standard indicated by PCI-DSS. The payment card industry employs old technology. Criminals are starting to exploit money in other ways nowadays. Yet, there are still billions of dollars being poured into PCI. Compliance is something that was created by the payment card industry themselves, in order to get the government regulators off of their backs. Be willing to go above and beyond, because security is a growing risk in this new age of new technology.