Evan Schuman tries to take a cheap shot at the PCI council on StorefontBacktalk. It’s a strange article called PCI Council And Passwords: Do As We Say, Not As We Do
First, to be fair, what’s being protected is not especially sensitive. Specifically, the password is not intended to keep out prying eyes. Rather, its sole purpose seems to be to keep meddling fingers away.
That caveat is extremely important. You really do not need to read any further since the rest of the article is misleading. I’ll try to explain here why it is also wrong.
Companies that must adhere to PCI should take a risk-based approach. This guidance is supported by the PCI Council. This means, in brief, that the most critical assets should be protected while the non-assets or non-critical ones should get less attention and effort. Payment card data is the focus of the Council and that is why you see a great deal of money, time and talent focused on keeping payment card information safe. You should not see, and usually do not, security efforts focused on things that can be easily replaced, are not vulnerable, and have a low likelihood of attack. This can be expressed with the formula: Risk = (Asset Value x Vulnerability x Threat) / Countermeasures
Mr. Schuman again raises this obvious point:
As mentioned earlier, these documents don’t include credit card numbers or other sensitive information. But if the decision is made to lock them down, there’s presumably a reason. If the concern is that QSAs or merchants can change the document, then the Council needs to choose a password that will indeed create the desired protection
Perhaps they put the password on the document as a test to see who would be foolish enough to complain about it.
The article should not have continued past the point that there is no payment card information in the Word document. I would wager they have already succeeded in creating the desired protection. What would the author suggest as a replacement, given that there is clearly no sensitivity, it’s trivial to crack a Word password and it has to function as a shared secret?
The article, contrary to Mr. Schuman’s claims, raises neither irony nor interesting points.
It reads is like someone standing outside a bank complaining that the flowers next to the sidewalk can be stepped on, therefore the bank is not following appropriate precautions to protect its money. Smart auditors know where to draw the line on scope. The author of this article does not show an ability to draw any lines; he awards himself the honor of appearing like a really bad auditor.
Companies that handle payment card information do not need this kind of noise and nonsense from an auditor. They need to hear opinions that reflect the reality of today’s threats and vulnerabilities, and to work with someone who understands how information assets are valued before issuing edicts for every pebble they stumble upon.