Anton had an interesting post up yesterday titled "Five Reasons to Dislike PCI DSS – And Why They Are WRONG!". As per usual, it's decent writing, EXCEPT that poor Anton is wrong himself (not to mention that he listed 5 "wrong" things, but then the fifth he says "right" to - a little confused by that!:).
So, the two "wrong" reasons that I take issue with are:
1. PCI DSS is a distraction from “real” risk management and security: WRONG!
2. PCI is just checklist security: WRONG!
Anton elaborates on them further (read his post
for the full details).
Here's the thing, I why I have to disagree with him... perception is far more important than reality. Just because the PCI Security Council actually intended for a risk-based approach, and just because they did not intend for it to be checklist security, does not mean this is in fact how it is perceived, let alone used. The fatal flaw is that the preamble of PCI in the beginning (v1.0) did not start "the following may appear to be a prescriptive checklist, but it is instead a way to benchmark organizational maturity using a risk-based model." The fact of the matter is that the PCI DSS does not define risk, does not tell you to setup a risk-based model, does not talk about maturity, etc. They tell you prescriptively what you have to do to become compliant. It's really a hideously bad thing, precisely because of Anton's #3 ("We “got compliant” and now we are breached – it’s PCI’s fault: WRONG!").
The folly behind all this is: if you tell people specifically what needs to be done to achieve compliance, they will do that, and only that. It's the path of least resistance. And no matter how much you disclaim that "PCI compliance does not make you hacker proof" people will still think that compliance == security. Is this right? No. Does this make sense? No. Well, sort of. The problem is that people (generically) still do not fully understand information security. The feedback loops simply don't exist in the brain yet for understanding and reacting to infosec.
So, to Anton, and others, I say that the PCI DSS has brought us to this failure scenario precisely because it used the wrong approach in communicating its mission and intent. The goal stated has always been one of compliance, rather than one of risk reduction, risk resiliency, or proper risk management. The reason we know the goal has always been compliance is because it's mandatory to meet all of their prescriptive requirements. This makes PCI DSS checklist security, whether they intended it to be that or not. Why? Because that's the path of least resistance - the easiest way to get that box checked.