Another good question, but perhaps you should phrase it "Does PCI harm security".

To answer both questions, I would differentiate very roughly between two types of organizations (even though most fall in between these two extremes):

• Security-conscious organizations, that routinely perform business-risk based analysis, have a comprehensive SDL in place, perform all the right moves, etc.
• Security-unconscious organizations, that have no interest in anything they are not absolutely forced to do, and especially not if it doesnt make any money.

For the second group, PCI absolutely helps, a lot, in the following ways:

• Awareness (now someone is at least allowed to mention security, and hopefully they're all talking about it)
• Budget - since otherwise management would never have allocated any resources whatsoever to invest in any form of security, now at least they are forced to at least pay lip-service.
• Minimal baseline of least common denominator activities. (Hopefully this includes training the developers, which helps more than any regulation...)

Basically it forces them to acknowledge security, and hopefully some additional good will come out of it.

For the first group, there are two (two and a half) main consequences:

• There are (rare) situations where the organization has to choose between a real security solution, and compliance with the generic baseline LCD.
• Budget is now forcefully allocated to the minimal, generic baseline LCD as defined by some external group that knows nothing about their business. (This budget would probably be more useful in different security activities / products / etc).
• Management is quicker to pass on any security investment that is not mandated directly by the PCI - "if they don't need it / if its good enough for them without, why should we bother?" or "If it was important, PCI would have required it".

In this case, PCI is doing more harm than good, since getting them to build in security is not an issue for these orgs.

However, one benefit of PCI compliance that is shared across the board:

PCI compliance reduces the risk of the penalties of non-compliance.

A good question, but perhaps you should phrase it "Does PCI harm security".

To answer both questions, I would differentiate very roughly between two types of organizations (even though most fall in between these two extremes):

• Security-conscious organizations, that routinely perform business-risk based analysis, have a comprehensive SDL in place, perform all the right moves, etc.
• Security-unconscious organizations, that have no interest in anything they are not absolutely forced to do, and especially not if it doesnt make any money.

For the second group, PCI absolutely helps, a lot, in the following ways:

• Awareness (now someone is at least allowed to mention security, and hopefully they're all talking about it)
• Budget - since otherwise management would never have allocated any resources whatsoever to invest in any form of security, now at least they are forced to at least pay lip-service.
• Minimal baseline of least common denominator activities. (Hopefully this includes training the developers, which helps more than any regulation...)

Basically it forces them to acknowledge security, and hopefully some additional good will come out of it.

For the first group, there are two (two and a half) main consequences:

• There are (rare) situations where the organization has to choose between a real security solution, and compliance with the generic baseline LCD.
• Budget is now forcefully allocated to the minimal, generic baseline LCD as defined by some external group that knows nothing about their business. (This budget would probably be more useful in different security activities / products / etc).
• Management is quicker to pass on any security investment that is not mandated directly by the PCI - "if they don't need it / if its good enough for them without, why should we bother?" or "If it was important, PCI would have required it".

In this case, PCI is doing more harm than good, since getting them to build in security is not an issue for these orgs.

However, one benefit of PCI compliance that is shared across the board:

PCI compliance reduces the risk of the penalties of non-compliance.

Another good question, but perhaps you should phrase it "Does PCI harm security".

To answer both questions, I would differentiate very roughly between two types of organizations (even though most fall in between these two extremes):

• Security-conscious organizations, that routinely perform business-risk based analysis, have a comprehensive SDL in place, perform all the right moves, etc.
• Security-unconscious organizations, that have no interest in anything they are not absolutely forced to do, and especially not if it doesnt make any money.

For the second group, PCI absolutely helps, a lot, in the following ways:

• Awareness (now someone is at least allowed to mention security, and hopefully they're all talking about it)
• Budget - since otherwise management would never have allocated any resources whatsoever to invest in any form of security, now at least they are forced to at least pay lip-service.
• Minimal baseline of least common denominator activities. (Hopefully this includes training the developers, which helps more than any regulation...)

Basically it forces them to acknowledge security, and hopefully some additional good will come out of it.

For the first group, there are two (two and a half) main consequences:

• There are (rare) situations where the organization has to choose between a real security solution, and compliance with the generic baseline LCD.
• Budget is now forcefully allocated to the minimal, generic baseline LCD as defined by some external group that knows nothing about their business. (This budget would probably be more useful in different security activities / products / etc).
• Management is quicker to pass on any security investment that is not mandated directly by the PCI - "if they don't need it / if its good enough for them without, why should we bother?" or "If it was important, PCI would have required it".

In this case, PCI is doing more harm than good, since security is not an issue for these orgs.

However, one benefit of PCI compliance that is shared across the board:

PCI compliance reduces the risk of the penalties of non-compliance.

Another good question, but perhaps you should phrase it "Does PCI harm security".

To answer both questions, I would differentiate very roughly between two types of organizations (even though most fall in between these two extremes):

• Security-conscious organizations, that routinely perform business-risk based analysis, have a comprehensive SDL in place, perform all the right moves, etc.
• Security-unconscious organizations, that have no interest in anything they are not absolutely forced to do, and especially not if it doesnt make any money.

For the second group, PCI absolutely helps, a lot, in the following ways:

• Awareness (now someone is at least allowed to mention security, and hopefully they're all talking about it)
• Budget - since otherwise management would never have allocated any resources whatsoever to invest in any form of security, now at least they are forced to at least pay lip-service.
• Minimal baseline of least common denominator activities. (Hopefully this includes training the developers, which helps more than any regulation...)

Basically it forces them to acknowledge security, and hopefully some additional good will come out of it.

For the first group, there are two (two and a half) main consequences:

• There are (rare) situations where the organization has to choose between a real security solution, and compliance with the generic baseline LCD.
• Budget is now forcefully allocated to the minimal, generic baseline LCD as defined by some external group that knows nothing about their business. (This budget would probably be more useful in different security activities / products / etc).
• Management is quicker to pass on any security investment that is not mandated directly by the PCI - "if they don't need it / if its good enough for them without, why should we bother?" or "If it was important, PCI would have required it".

In this case, PCI is doing more harm than good, since getting them to build in security is not an issue for these orgs.

However, one benefit of PCI compliance that is shared across the board:

PCI compliance reduces the risk of the penalties of non-compliance.