
No standard is ever 100% secure, but...
..PCI was never intended to make merchants invincible to attack. It does, however, go a lot further than the likes of ISO 27001 and SOX in prescribing some very effective ways in which a small organisation without the money to invest in a CSO can reduce exposure.
Being prescriptive is a drawback - one size certainly does not fit all and many organizations have fallen victim to interpretation issues around the standard and been led into expensive, vendor-laid traps, sponsored by the QSA whom has delivered the gap analysis, solid remediation solutions and completed the final audit. Does something sound fishy here?
If you take PCI at face value, which is a top 12 list of things you should do to improve security posture, at mostly a technical level, then I think it serves it's purpose very well. Try throwing ISO 27001 at the millions of merchants that present a security risk to the card schemes. It's not going to work - 99% of these companies are just too small and an ISMS cannot be scaled downward to fit.
Fully agreed there are some unscrupulous companies whom allegedly forcefeed their customers with over-the-top, expensive products or even managed services, but this isn't a problem with the standard, it's an problem with PCI SSC, an infant organization that is supposedly there to regulate the hundreds of firms and thousands of QSAs and make sure they all behave. Taking some firm steps such as separating companies that offer gap analyses and those that can audit and booting useless QSAs off the programme would go a long way.
It is far too easy for a merchant to gain certification - I'm sure there are many merchants whom just tick yes to each of the questions, submit their SAQ and get the certification without giving it a second thought. After all, what's really there to stop them? What are the consequences of lying on a SAQ? Will anyone ever find out, or is one merchant safe amongst millions of others...?
Last, but not least, it's far too easy to become a QSA, and even though the QSA programme says that QSAs should not show bias toward remediation solutions from which they benefit, this practise is VERY commonplace. For example, if you looked at a reputable QSA that rhymes with Dave, their salesmen are ONLY incentivised to sell their own remediation solutions and managed services (and heavily, at that). So which side of the fence do you think the apple will fall... ? Even Protegrity could become a QSA (or any other vendor, for that matter). I'm sure they'd make a very good one, too! :)
Come on PCI SSC - pull your finger/s out and start forcing some change before things get out of control.