Shostack + Friends Blog

A PCI Threat Model

Compliance isn't Security, oh and something I wrote.

The reason I hate compliance programs is because they're lists of things we need to do, and many times, those things don't seem to make a great deal of sense. In threat modeling, I talk about the interplay between threats, controls, and requirements, and I joke that "a requirement to have a control absent any threat" is why we hate compliance programs (not joking).

So when Anton Chuvakin wrote an article on Data Security and Threat Models and closed it with "explicit threat models do make security better," I remembered that I'd actually written up a threat model for PCI, but not shared it. It's now at A PCI Threat Model, and I have a column in Dark Reading explaining how this can solve the problem with security standards.

Originally published by Adam on 24 Sep 2020
Categories: threat modeling

Our Favorite Content

General threat modeling posts

The Security Principles of Saltzer and Schroeder, illustrated with Star Wars

Subscribe (RSS/Mail)

RSS/ATOM: The ATOM feed is here. We recommend RSS as the best way to follow this blog, and think generally RSS is the best way to take control of the information you take in. You can read our thinking here.

Email: If you’d like a lower volume set of updates on what Adam is doing, Adam’s New Thing gets only a few messages a year, guaranteed. We include a subset of posts in each.