Access your Pro+ Content below.
What does PCI compliance really mean?
This article is part of the September 2009 issue of Information Security magazine
While PCI has probably helped fund many a security project and infused lots of dollars to security vendors in the last three to four years, why are companies that are PCI-compliant getting compromised? The problem lies in the fact that security professionals and their bosses are still under the false impression that compliance equals security. Interestingly what some originally found as refreshing (clear language and guidance) are now the things that hinder the standard. Because PCI is very prescriptive and lays out exactly what needs to be done, it can lull an organization into a false sense of security. Just look at Hannaford and Heartland Data Systems. Both were PCI-compliant but both were compliant at one particular moment in time. Recently the Heartland Data Systems CEO Robert Carr blamed the QSA for its huge data breach woes. The problem is a seal of approval from an auditor does not in any way shape or form ensure that your organization is secure. Many in the security industry were up in arms over his statements, arguing ...
Access this Pro+ Content for Free!
Features in this issue
For the fourth consecutive year, Information Security readers voted to determine the best security products. A record 1721 voters participated this year, rating products in 17 different categories.
The demonstration of a hacking tool at Black Hat that allows attackers to escape from virtual machines to attack their guest OS elevates the seriousness of security threats to virtualization.
Encryption solves some very straight-forward problems but implementation isn't always easy. We'll explain some of the common misperceptions so you'll understand your options.
Columns in this issue
Accountability for Internet security should be placed on users, not service providers such as hotels.
Security experts Bruce Schneier and Marcus Ranum debate whether perfect access control is possible.
Passing an audit can lull an organization into a false sense of security.