By Robert Westervelt, News Director
Any analyst or security expert will tell you that the Payment Card Industry Data Security Standard (PCI DSS) has had a profound effect on the security industry.
The credit card giants created the PCI Security Standards Council in 2006 to supply a blueprint that merchants can use to better protect credit card data. While some studies suggest PCI DSS compliance requirements are encouraging merchants to deploy a minimal level of security, critics such as Joshua Corman, director of enterprise security research at the 451 Group, point to some potentially negative consequences.
In this edition of Security Wire Weekly, Corman and Paul Judge, chief research officer of Barracuda Networks, talk about compliance's role in shaping the security industry and whether it has hindered the emergence of innovative security technologies. Judge argues that compliance has stimulated specific security markets, cranking up competition. "Everyone benefits from a vast amount of improvements over a short amount of time," Judge said.
Corman, however, explains that compliance incentivizes behaviors and actions and can result in unintended consequences. PCI 6.6 helped fuel adoption of Web application firewalls, and "caused potentially some innovation and competition in a very narrowly defined category of security controls." But many of the security controls advocated by PCI and other compliance mandates are well past their expiration date and pretty easily defeated on a regular basis, Corman said.