PCI standard accused of being ambiguous and not achieving its aims

News by SC Staff

The PCI DSS has been accused of not yet accomplishing what it originally set out to achieve.

The PCI DSS  has been accused of not yet accomplishing what it originally set out to achieve.

Andrew Walker, CEO of Portaltech, claimed that the standard is ‘ambiguous' and said that there is a feeling in the industry that the card issuing companies do not mind this feeling.

Walker said: “Even though there have been many versions of the standard, each one is more onerous than the last and has not been successful in ironing out the problems. It has been suggested by some IT security professionals that the PCI DSS does little more than provide a minimal baseline for security. The fact is, you can be PCI-compliant and still be insecure.”

He further claimed that there are online application vulnerabilities that are a rapidly growing area of security, and that exposures in customer-facing applications pose a real danger of a security breach.

Walker also claimed that there is a problem with the concept of ‘scoping', where the implementation decisions can reduce the scope to which the standard applies.

“This in turn causes confusion and means that some systems and processes may fall outside the boundaries of the standard and therefore will not be investigated – even if these systems or processes contain sensitive personal information,” said Walker.

Despite his criticisms, Walker did claim that there were some overall positives with the standard. He said that it ‘is a step towards making all businesses pay more attention to IT security, even if minimum standards are not enough to completely eradicate security problems'.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews