Martin Mckeay, Mike Dahn, Anton Chuvakin and a lot of others are talking about the impact and/or the meaning of the Heartland breach on PCI. It raised the debate about compliance versus security, with valid points on "doing security first" and "security and compliance only have few points in common". I agree with both, but there is also something else that's not being mentioned.

PCI and regulations in general are usually written to address issues that cause more risk and are more common. They are also built to fit most of the target organizations. That means that every organization has its own particular risks and characteristics that may be a very important security concern but that is not necessarily addressed by the standard. To address everything for everybody on the standards would make the cost related compliance AND validation something huge, out of the scale of reasonable costs for risk mitigation.

There is a way to solve that by building risk management based standards, like ISO27001, but they are usually more expensive to implement (and to validate). Also, those standards work very well to deal with risks to the organization, not to third parties (like cardholders), though considering audit issues and fines a risk themselves can help on fixing this "glitch". Honestly, to complicated for me, I don't believe that the results from implementing those risk management systems are not proportional to the costs.

If both ways of writing (and using) regulations are flawed, what are our alternatives? I'm still not sure, but I think that maybe a mixed approach could bring better results. I also think that threat detection is considerably underestimated and could be improved by forcing some real time collaboration among organizations. Feeding data from several different organizations defenses (like firewalls and IDSes) into a massive correlation system would probably bring the same benefits that the current card fraud detection mechanisms are delivering for years.