PCI: Boon or bust for software security?

[eballen1 at qwest.net (Bruce Ediger)]

On Mon, 3 Mar 2008, Kenneth Van Wyk wrote:

> So here's a question to ponder.  Now that PCI DSS 1.1 is out there (save a 
> couple June 2008 deadlines still looming), has it been good or bad for 
> software security as a whole?

It's a wash.  And that only because PCI has mild good effects, to counteract
"The Business" using it as a bludgeon to get some other concessions they want
from various IT departments.

Let's face it, current management and business practice is to regard all
programmers as plug-compatible, and to put all their emphasis on the
unattainable Holy Grail of "repeatable processes"
(http://www.idiom.com/~zilla/Work/Softestim/softestim.html and
http://www.idiom.com/~zilla/Work/kcsest.pdf). Maybe they need "repeatable
processes" if they outsource to guys who can just barely spell "Java", but
that's really another rant.

In any case, the same management that puts all its faith in the prima facie
nonsense of "repeatable processes" just did some checklist-style PCI
remediation, implementing it without wisdom or imagination.  Management, thy
name is "CYA". They hired the minimum bid network scanners, who really didn't
do much, but did turn in a spectacularly-well-formatted "Word" doc with lots of
buzzwords in it. "The Business" put whatever effort is left over after plotting
Corporate Domination (none) into understanding the PCI remediation checklist,
and now believes that security is well taken care of, now and forever.

PCI compliance is like boycotting gas stations for a day: that day's sales look
pitiful, bu over the course of a week, it will all even out, since "compliance"
gives "The Business" a false sense of security.