Friday, October 03, 2008

Is the PCI guy serious?

Version 1.2 of the PCI Data Security Standard was released yesterday. If you're really interested, you can find some analysis on what's new here, here and here (or via your favourite search engine of course).

I'm not sure how much more useful PCI DSS version 1.2 will be compared to the "worthless v1.1 incarnation" in a practical sense, but if comments by Bob Russo, General Manager of the Payment Card Industry Security Standards Council are anything to go by I'm not holding my breath.

On page 2 of an article today, he's quoted as saying:
"Today we say if you're going outside the network, you need to be encrypted, but it doesn't need to be encrypted internally. But as an example, if you add end-to-end encryption, it might negate some requirements we have today, such as protecting data with monitoring and logging. Maybe you wouldn't have to do that. So we'll be looking at that next year.
Is he serious? Or was he misquoted? Or maybe the comment was taken out of context? Or maybe my eyes are deceiving me?

Just because you have end-to-end encryption doesn't mean data is any more secure. Sure, if you have any of your disks stolen, then you're probably ok. But what about protecting consumers against your employees that have legitimate access to the data? If there's no monitoring and logging then there's no psychological deterrent and audit trail if something does happen!

I'm shaking my head in disbelief right now...

No comments: