I like Andrew’s approach of simply setting out the objectives, and leaving it to the industry to determine the best way of getting to the finish line. In this cat-and-mouse environment, that “best way” will be consistently changing, which means hard-and-fast regulations that work today may be hopelessly outmoded tomorrow.

But then, I’m just a PR flack…what do I know?

People who don’t know what “reducing risk” mean can use the PCI standards as a voluntary framework. They can also take other steps available to them–hire consultants, talk to peers, use an MSSP, etc.

Under the current PCI framework, companies have more incentive to become “compliant” than they do to actually manage risk. That’s backwards. My idea is to enforce the intent of PCI–manage the risk–without mandating the path you take to get there.

And they would have that right, to a certain extent. Don’t forget that there are plenty of other restrictions out there for negligence and liability. The idea here, if I understand correctly, is simply to penalize the negative consequences. Some folks might, for example, opt to insure against the risk rather than implementing prescriptive controls which haven’t been validated as being useful.

Pete

There are a number of control frameworks that exist in the security profession – and PCI is out there, so that could be used as a guide as well. Heck, how does anyone trying to comply with SOX know what to do? They don’t follow SOX, they ask their auditors and security pros.

Andrew’s “paper” was a blog post, so not a whole lot of details there. I don’t really see what is idealistic about it – it seems fairly straightforward to me, and perhaps more importantly, it is run by private enterprise so they could actually rewrite the rules to rewrite PCI to focus on penalties and not on controls.