While PCI has probably helped fund many a security project and infused lots of dollars to security vendors in the last three to four years, why are companies that are PCI-compliant getting compromised?
The problem lies in the fact that security professionals and their bosses are still under the false impression that compliance equals security.
Interestingly what some originally found as refreshing (clear language and guidance) are now the things that hinder the standard. Because PCI is very prescriptive and lays out exactly what needs to be done, it can lull an organization into a false sense of security.
Just look at Hannaford and Heartland Data Systems. Both were PCI-compliant but both were compliant at one particular moment in time.
Recently the Heartland Data Systems CEO Robert Carr blamed the QSA for its huge data breach woes. The problem is a seal of approval from an auditor does not in any way shape or form ensure that your organization is secure.
Many in the security industry were up in arms over his statements, arguing that Carr was shirking his responsibility as the CEO. And while he may not have understood security per se, he should have understood the risk his company faced and made a business decision based on Heartland's risk threshold.
While we'll never know the conversations that occurred before the breach, his comments prove that something was very broken. Either top Heartland business executives were told or believed that if they were PCI compliant, that they would be safe or they did not have a strong risk management program in place to begin with. Now Heartland is the poster child for shoddy security and will pay the consequences.
As a security professional, there are lots of lessons to be learned by the Heartland breach.
First organizations need to articulate risk to their top leaders and in terms they understand. They need to be crystal clear that a passed audit is just that. And meeting something a standards body or a legislator puts together is not a security program. While compliance can help get money, it should be a justification for dollars on projects that you really need to get done to protect the organization (and meet a particular compliance mandate.)
Regulations and industry standards are not going away. PCI, which began as a standard, is getting even more powerful. Recently Nevada lawmakers made it legally binding for businesses accepting payment cards to be PCI compliant.
The challenge for security pros is to use these mandates as a budget lever but also clearly articulate what an organization is getting from those investments. And while a good security and risk management strategy is very important, no organization is hack-proof.
Kelley Damore is Editorial Director of Information Security and TechTarget's Security Media Group. Send comments on this column to firstname.lastname@example.org.
- Meet PCI DSS Requirements –HackerOne