Shostack + Friends Blog

 

Does PCI Matter?

It's certainly not a silver bullet...

There's an interesting article at the CBC, about how in Canada, "More than a dozen federal departments flunked a credit card security test:"

Those 17 departments and agencies continue to process payments on Visa, MasterCard, Amex, the Tokyo-based JCB and China UnionPay cards, and federal officials say there have been no known breaches to date.

There are some interesting details about the who and why, but what I want to focus on is the lack of (detected) breaches to date, and the impact of the audit failure.

The fact that there have been no breaches detected is usually a no-op, you can't learn anything from it, but with credit cards, there's a "Common Point of Purchase" analysis program that eventually turns a spotlight on larger "merchants" who've been breached. So the lack of detection tells us something, which is that a large set of PCI failures don't lead to breaches. From that we can, again, question if PCI prevents breaches, or if it does so better than other security investments.

The second thing is that this is now a "drop everything and fix it" issue, because it's in the press. Should passing PCI be the top priority for government agencies? I generally don't think so, but likely it will absorb the security budget for the year for a dozen departments.