
The Failure of the PCI-DSS? (2014) - tonyztan
https://www.anitian.com/blog/the-failure-of-the-pci-dss/
======
27182818284
There are details of this article that are pretty spot on. For example, I've
personally seen an institution fail, then just turn around and change QSA to
one that passed them without any changes. This is right in line with the "The
current state of QSAs is appalling" introductory sentence.

I do disagree with PCI being a great standard—it isn't.

* It is often vague leading to unnecessary debates between managers and engineers. (E.g., is a smart router that has a login screen a server?)

* It forces unnecessary password resets

* It doesn't do a great job defining changes to the server so again you can interpret that different ways. If there is a typo and I change it in a content view, is that the same thing as changing a typo in code? (You should see the fights this causes amongst engineers and managers in large organizations.)

* Two factor doesn't seem largely recognized. It is sometimes talked about by QSAs, but, in my experience they don't really seem to get it...

* There is some situation where a QSA said to my organization at the time that everything needed to be N many hops away, but wouldn't define concretely what a hop was. Nor did it matter because we had already seen attacks where the attacker took more than 2 hops internally to escalate their privileges.

What it is great at, and I'll give it that, is that PCI echoes the old adage
of "Nobody went broke by hiring IBM." It gives great deniability if something
does go wrong by saying "Hey we followed PCI! See?!" despite its actual
usefulness being pretty doubtful to me.

