PCI standard accused of being ambiguous and not achieving its aims
Andrew Walker, CEO of Portaltech, claimed that the standard is ‘ambiguous' and said that there is a feeling in the industry that the card issuing companies do not mind this feeling.
Walker said: “Even though there have been many versions of the standard, each one is more onerous than the last and has not been successful in ironing out the problems. It has been suggested by some IT security professionals that the PCI DSS does little more than provide a minimal baseline for security. The fact is, you can be PCI-compliant and still be insecure.”
He further claimed that there are online application vulnerabilities that are a rapidly growing area of security, and that exposures in customer-facing applications pose a real danger of a security breach.
Walker also claimed that there is a problem with the concept of ‘scoping', where the implementation decisions can reduce the scope to which the standard applies.
“This in turn causes confusion and means that some systems and processes may fall outside the boundaries of the standard and therefore will not be investigated – even if these systems or processes contain sensitive personal information,” said Walker.
Despite his criticisms, Walker did claim that there were some overall positives with the standard. He said that it ‘is a step towards making all businesses pay more attention to IT security, even if minimum standards are not enough to completely eradicate security problems'.