Data Breaches Show PCI DSS Ineffective


Data Breaches Show PCI DSS Ineffective: “

By Danny Lieberman, Security Expert and Founder of Software Associates

A recent Ponemon survey (pci-dss-survey-key-findings-final4) found 71% of companies don’t consider PCI as strategic, though 79% had experienced a breach.

Are these companies assuming that a data security breach is cheaper than the security?

How should we understand the Ponemon survey.  Is PCI DSS a failure in the eyes of US companies?

Let’s put aside the technical weaknesses, political connotations and commercial aspects of the PCI DSS certification franchise for a second.

Consider two central principles of security – cost of damage and goodness of fit of countermeasures

a) The cost of a data security breach versus the cost of the security countermeasures IS a bona-fide business question.If the cost of PCI certification is going to be 1M for your business and your current Value at Risk is only 100k – then PCI certification is not only not strategic, it is a bad business decision.

b) Common sense says that your security countermeasures should fit your business not a third-party checklist designed by a committee and obsolete by the time it was published.

The fact the Ponemon study shows that 71% of businesses surveyed don’t see PCI as strategic is an indication that 71% have this modicum of common sense.

The other 29% are either naive, ignorant or work for a security product vendor.

Common sense is a necessary but not sufficient condition If you want to satisfy the two principles you have to prove 2 hypotheses: Data loss is currently happening.

* What data types and volumes of data leave the network?
* Who is sending sensitive information out of the company?
* Where is the data going?
* What network protocols have the most events?
* What are the current violations of company AUP?

A cost effective solution exists that reduces risk to acceptable levels.

* What keeps you awake at night?
* Value of information assets on PCs, servers & mobile devices?
* What is the value at risk?
* Are security controls supporting the information behavior you want (sensitive assets stay inside, public assets flow freely, controlled assets flow quickly)
* How much do your current security controls cost?
* How do you compare with other companies in your industry?
* How would risk change if you added, modified or dropped security controls?

If PCI is a failure, it is  not because it doesn’t prevent credit card theft; there is no such animal as a perfect set of countermeasures.

PCI is a failure because it does not force a business to use it’s common sense and ask these practical, common-sense business questions.

* * *

Stay Informed With ISR News Alerts:


by FeedBurner

* * *

Danny Lieberman is a serial technology innovator and leader – implementing ideas from brain to business. Danny has a graduate degree in solid state physics and has spent most of his adult life developing software. Since 2003 – Danny has been doing data security consulting and data protection/information assurance projects using data loss prevention /extrusion prevention technology.

Software Associates provides enterprise information protection to clients in Europe and the Middle East. His latest venture is MedRep, a professional network for medical representatives and doctors. Feel free to text Danny at any time of day at: +972 54 447 1114 –  he is always looking for interesting projects and ideas.

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to

(Via Information Security Resources.)


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: