Does PCI compliance really reduce risk and improve security?
A good question, but perhaps you should phrase it "Does PCI harm security".
To answer both questions, I would differentiate very roughly between two types of organizations (even though most fall in between these two extremes):
- Security-conscious organizations, that routinely perform business-risk based analysis, have a comprehensive SDL in place, perform all the right moves, etc.
- Security-unconscious organizations, that have no interest in anything they are not absolutely forced to do, and especially not if it doesnt make any money.
For the second group, PCI absolutely helps, a lot, in the following ways:
- Awareness (now someone is at least allowed to mention security, and hopefully they're all talking about it)
- Budget - since otherwise management would never have allocated any resources whatsoever to invest in any form of security, now at least they are forced to at least pay lip-service.
- Minimal baseline of least common denominator activities. (Hopefully this includes training the developers, which helps more than any regulation...)
Basically it forces them to acknowledge security, and hopefully some additional good will come out of it.
For the first group, there are two (two and a half) main consequences:
- There are (rare) situations where the organization has to choose between a real security solution, and compliance with the generic baseline LCD.
- Budget is now forcefully allocated to the minimal, generic baseline LCD as defined by some external group that knows nothing about their business. (This budget would probably be more useful in different security activities / products / etc).
- Management is quicker to pass on any security investment that is not mandated directly by the PCI - "if they don't need it / if its good enough for them without, why should we bother?" or "If it was important, PCI would have required it".
In this case, PCI is doing more harm than good, since getting them to build in security is not an issue for these orgs.
However, one benefit of PCI compliance that is shared across the board:
PCI compliance reduces the risk of the penalties of non-compliance.
The first thing you need to be aware of is that PCI DSS is NOT intended to protect your organization. It is intended to protect the payment networks and the payment ecosystem. This may sound odd to many, but just ask Visa and Mastercard.
I agree with AviD's comments. "PCI Compliance" reduces some specific risks and probably makes those organizations (that aren't doing anything) more secure. But PCI compliance should not be any organizations ultimate goal.
Another thing to make clear is that there is a BIG difference between "PCI Compliance" and actually exercising all of the requirements of PCI DSS in a manner that is commensurate with the risk. Many organizations are "Compliant" (or think they are) today because of someones poor interpretation of PCI DSS or because they didn't do a full gap assessment.
As experience, i did work for a credit card processor, PCI helped us to
1) Get attention from the high-level managers (security became important when they heard that we could loose the rights to work with VISA and Mastercard).
2) Security got the chance to become part of the development lifecycle in the whole company, and the developers started to think 2 times before to give a solution like "save the security number in this txt and let it there, laying around, in a desktop used by 30 people"
3) Security got budget to handle the legacy, put it compliance, rethink old solutions and find new solutions for old hacks
So in my opinion, be PCI compliance don't make your company more secure, yes, it has the main focus to protect VISA and Mastercard, but it will open some doors to security, it will give you more budget and it can help you to review your legacy and be more diligent with your software development lifecycle in general.