PCI, Compliance, and Security

Some people seem to be confused about compliance- some hate it, a few like it, and some really like to argue about it, especially when it comes to PCI-DSS. PCI-DSS is the much-maligned Payment Card Industry Data Security Standard, a set of requirements for companies which process credit card data. Full documentation is available from the PCI Website.

The standard is currently 72 pages, not a quick read- and that may be part of the problem; an amazing number of people like to argue about it without ever actually reading the beast. I believe the root problem is that many people confuse being compliant with being secure. While they may be complimentary goals, compliance and security are very different. Being compliant with a “security” standard or regulation does not make you secure, and I believe it is approaching the problem from the wrong direction- focusing your efforts on being secure, then aligning with your compliance requirements will result in a more secure, sustainable, and affordable environment. Even people who should know better have been confused by this; recently Heartland CEO Robert Carr said in an interview with CSO Online that he believed PCI compliance meant that Heartland was “secure”.

We all learned that Heartland wasn't secure when they suffered the “Largest Data Breach Ever“. The reactions to Mr. Carr's comments were strong and swift, Rich Mogull and Mike Rothman were among the many people who took exception to Mr. Carr's statements about compliance and security- but the controversy Mr. Carr's comments sparked only serves to highlight the problem. Part of the confusion comes from the different security postures of organizations before they begin their compliance programs. For a company with poor security and a lack of organizational awareness of security standards, becoming PCI- (or whatever) – compliant can introduce many positive changes and dramatically improve the overall security of the organization.

On the other hand, if an organization already has a well established and effective security posture, becoming compliant should be fairly easy, BUT, it could result in losing focus on security as attention shifts to compliance. Worse still, if an organization has done a thorough risk assessment and focused their efforts accordingly, some regulations may require them to divert resources to addressing requirements that are not aligned with actual risk to the organization, effectively reducing their security.

Another problem with compliance is that while most security professionals understand that the standards define the minimum security standard, many outside of the field believe that compliance is all that you need to do to be secure- thus confusing a security baseline with a finish line. In the absence of standards and regulations it is often easier to grasp that security is a process, not something you “are” or “aren't”, and should be tailored to fit the situation. Unfortunately, it is also common for organizations to neglect security unless they are required to comply with some regulations or laws.

Finally, complaining about PCI, HIPAA, or any other regulation doesn't change the fact that we need to comply. Go ahead and work to change the laws or regulations you find onerous- but complaining is no substitute for an ongoing assessment of your environment, securing it as appropriate, and mapping your security posture to meet compliance requirements.


You Can Learn More About the Astaro Internet Security Product Line By Going to www.FirewallShop.com/Astaro.

The original article/video can be found at PCI, Compliance, and Security

Leave a Reply