I was thinking about writing something about the problems on the PCI standard. I didn't find the time to do it, but Mark Curphey did it, and very well. I really agree with almost everything he pointed on his article.

I'm also seeing a huge distance between measured Risk and security controls when companies try to comply with PCI. Like the encryption requirements, most of the companies have worse vulnerabilities than lack of encryption, mostly when we are talking about information on databases.

The applications need to access the information, encrypted or not. So, all the necessary steps to allow the applications to access the information are there. And there are lots of things to deal with the applications, beginning with secure coding (that is covered, although not very well, by the standard) and passing through user profiles and policies to regulate their access privileges over time.

Besides that, there are many situations where exceptions from the rules are being conceded, most of them on the issuers side. There are lots of old mainframe bases systems being used, and these companies are being able to use compensatory controls over lots of requirements, as the mainframe environment is "secure". Hey, didn't these guys realize that mainframe security today is mostly being done through simple obscurity? PCI assessors are not properly verifying access privileges from people that support production environments. These guys can access lots of information. Now try to point some PCI auditors that know how to dig into details on mainframes to find about those privileges. It'll be very hard to find one.

And what about log management? Anything being done? Almost nothing.