Tucked away in the conclusion of this article is an interesting question: is the PCI Data Security Standard effective? Actually, the question as posed, which was whether the PCI Data Security Standard in its current form is effective, is not particularly interesting (at least to me). The more interesting question is whether the PCI DSS, or any self regulation can be an effective counter to information security threats. I don't know the answer, but the article gives some indication that that answer might be no.
Of course, the article itself did not tackle the question of self regulation versus governmental oversight. The article was devoted to describing a new set of guidelines which is intended to facilitate the process of becoming PCI compliant. Apparently, there is a perception that some businesses look at the PCI requirements, become overwhelmed by what's necessary to comply, and, as a result, do nothing. The hope is that, by breaking things down and ranking them in terms of priority, the new guidelines will make the task more manageable, and therefore increase compliance. The article then mentioned that these new efforts to increase compliance come at a time when the effectiveness of the PCI DSS is being questioned based on recent security breaches such as that at Heartland Payment Systems. The article mentioned that a spokesman from the PCI Security Standards council had said that there wasn't anything wrong with the standards. However, if that's true, it raises a bigger question - why are the breaches still happening?
One possible answer, the one I alluded to at the beginning of the post, is that breaches are still happening because self regulation isn't an effective means of influencing behavior. I think that position is probably too extreme - merchants do care about the PCI DSS. However, the fact that there is a perceived need for the current compliance campaign, and the fact that massive breaches like that at Heartland keep happening indicates that something needs to change. Maybe what that is is to add a dose of federal government enforcement power to the supposedly sufficient requirements of the PCI DSS.