Secure Payments, PCI DSS, Regulatory Compliance Blog

PCI Will Save You

April 10th, 2007 by datasecurity Posted in Compliance

saveme.jpgAfter re-thinking my last post of PCI Won’t Save You, I thought up what I would rather have seen in the original DarkReading article.

I agree that PCI compliance alone will not make every network secure and that compliance is not a silver bullet. What compliance does is get companies to start thinking about data security and move in the right direction. Do I think that all systems should have file integrity monitoring software? Personally, no. Do I think that all companies should encrypt/hash/truncate sensitive customer data and secure all remote access methods? Personally, yes.

Here is a list of the things that PCI DSS compliance will not save you from:

  • PCI will not save you from security. If you are trying to do the bare minimum to meet compliance and not thinking about security or strategy then PCI will not save you.
  • PCI will not save you from data theft, which is different from data compromise. If an employee hits the print-screen button every time they bring up a customer record and then walks away with the printouts, there is little way to protect against this.
  • PCI will not save you from natural disasters. The PCI standard has taken a back seat to disaster recovery planning (DRP) because if a company is struck by a natural disaster the data inside will (generally) not be disclosed. (Ok, requirement 9.5 does mandate that backup tapes be stored in a “physically secure and fireproof” location.)
  • PCI will not save you from the unknown. When you perform a background check on your employees there may be nothing nefarious that shows up in their past, but does this mean they are perfect employees? PCI cannot protect you from the unknown crime, but then again, what will?

So this begs the question, what WILL compliance with PCI save you from?

  • According to the card associations, compliance with PCI will put you in “safe harbor” status meaning you will not be assessed non-compliance fines if you are compliant at the time of a compromise.
  • Compliance will provide you “the benefits of tiered interchange rates” based on your PCI DSS compliance status.
  • Compliance means that you are generally more secure and thus (1) harder to compromise and (2) the attackers will go places where data compromise is easier.

I think that security and compliance will save you from a long list of perils. The question standing is, how will it affect my bottom line? Everyone has to make trade offs regarding security/compliance and capital. There are different ways to address this:

  1. Meet the letter of the PCI law
  2. Leverage compensating controls to meet compliance

Either way, you need to meet the intent of the requirement. And by “need to” I mean, you need to make a business decision about compliance and security and what level of each you want at your company.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

  1. 1 Trackback(s)

  2. Feb 28, 2008: PCI Blog - Compliance Demystified » Blog Archive » PCI is only the beginning

Sorry, comments for this entry are closed at this time.