Hannaford Bros. PCI Compliance Claim Spurs Questions - Looking at the Standard
(
Page 4 of 4 )
Looking At The Standard
The Hannaford incident has also spurred questions about the PCI standards themselves, but most security experts agree that beyond a few tweaks the standard is actually pretty decent.
It is a matter of getting organizations to comply in good faith rather than simply chasing compliance for the sake of the certification.
“There's still the loophole around compensating controls which you can drive a truck through and things aren't specified that well, but PCI is better than some of the other standards that are out there,” said Pinkett. “Like any system, if you want to be responsible you can make really good use of it and it helps you have a checklist and helps you communicate to management the importance of the budget that needs to be applied to security programs. Or if you want to game the system, you can game the system so that you can get a checkmark and do as little as possible for that."
Public relations representatives for the PCI Security Council stated that it is currently waiting for details about the Hannaford breach before commenting on how it will affect the council’s vision of the standard.
Litan of Gartner believes it might stimulate some changes, but that an overhaul isn’t necessary.
“I think that the standard is adequate,” Litan said. “I think that what should happen is that maybe the PCI Security Council will refine section 11 of the standard, which talks about regularly testing the security systems and processes, to be more specific, give more guidance and train the assessors on what to look for because right now it is a little general. But you don’t want them to give too much prescription.”
