PCI DSS and Regulatory Compliance Blog

Technology is not the answer to compliance

November 11th, 2008 Posted in PCI DSS

I want to take a stand against people who preach technopliance.  Technopliance is the believe that compliance only comes through technology, and that getting the wrong technology will make you non-compliant.  I’ve always said that technology will not make you compliant or non-compliant, but properly configured technology can reduce risk and help protect cardholder data.

Last year, people said virtualization would break compliance.  This year, people said cloud computing would break compliance.  And every day people say you need one technology or another to get compliant.  This frustrates both sides of the aisle: information security professionals and compliance struggling towards compliance.  It’s the configuration of that technology, not the product itself.  It’s the utility of those systems in risk management, not the application of point solutions.

Here is an actual story about a company trying to reduce their compliance requirements.  A company was receiving credit card numbers (just the PAN) for correlation purposes.  They realized they didn’t need the PAN, just a unique reference number.  They decided to securely hash the PAN (salted value) and only receive that hash of the pan, leaving no possibility of them ever getting back to the original PAN.  By doing this they were not “storing, processing, or transmitting cardholder data”, nay they were not even receiving it!  But someone was telling them they needed PCI compliance, and technology would get them there.  If they don’t receive the information, then what is there to protect?  What is there to make compliant?  Nothing.

One thing I’m learning from companies that have been through the compliance ringer for 1, 2, or 3+ years is that they are looking to reduce their costs and reduce the roadblocks.  They no longer care as much about compliance technology, and focus instead on risk management.  They care about reducing their costs and managing risk.

If you want the secret to success, focus on risk management with compliance being a byproduct, not the driving focus.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

  1. 9 Responses to “Technology is not the answer to compliance”

  2. By Branden Williams on Nov 11, 2008

    Ahh, the dreaded vendor silver bullet. Nicely put!

  3. By Alex Crittenden on Nov 12, 2008

    Thank you for this post - I just hope a LOT of people read this. We run into clients that have been told repeatedly (often by their QSA, who also happens to be a hardware reseller) that they need to buy all kinds of new equipment in order to be compliant. Low and behold, the QSA’s company happens to sell the very stuff that they’ll need…..

    Sadly there is a part of human nature that is looking for an ‘easy way out’ and technology has been that easy way for a lot of companies even though it doesn’t really fix the problem in a lot of cases. As you say, proper implementation and management of existing assets can have a far bigger impact than just throwing more ‘tech’ at PCI.

  4. By Walt Conway on Nov 12, 2008

    Thanks for this thoughtful post, Mike. Technology alone is not the answer to PCI compliance; we’ve all seen the WAF left in “learning mode,” and the logs that never get reviewed. Maybe a key to getting merchants to get out of a compliance-as-a-checklist mentality is to get C-level management to realize PCI is about protecting their checkbook and their brand, not an annoying requirement imposed by the payment industry.

    The closest to a silver bullet I’ve found is “if you don’t need it, don’t keep it.”

  5. By JD on Nov 12, 2008

    I definitely agree with the previous posters. Too many times a widget is seen as the end-all fix-all when introducing these “fixes” often causes more confusion, complexity points of failure.

    One clarification in your example though:
    Was the PAN being securely hashed by the provider or by the example company. If it was the latter wouldn’t they be “processing” the PAN and those systems then be in scope?

    Cheers,

  6. By redneck on Nov 12, 2008

    Well done post. However, this is not just a problem with PCI it is a problem with all industries and with all compliance requirements they are given.

  7. By Michael Dahn on Nov 13, 2008

    @JD, yes the devil is in the details. I think we could discuss implementation, but agree that (as Walt said) “if you don’t need it, don’t keep it.”

    Also, not enough merchants understand ways and methods to turn cardholder data info non-cardholder data. We need to stop carpet bombing with security and start re-engineering the business process.

  8. By Walt Conway on Nov 13, 2008

    One of the points I always make in my PCI merchant training is that PCI means you will change the way you do business. That is, instead of keeping all that cardholder data for marketing or ‘customer service’ purposes, you will make do with first 6/last 4-digits, and you work with your acquirer on exception items (refunds, chargebacks) and recurring payments.

    A bigger problem is the rogue database with CHD that you don’t know about until it is breached.

  9. By val on Nov 29, 2008

    Se você esta procurando marketing digital visite http://www.btoweb.com.br

  1. 1 Trackback(s)

  2. Nov 12, 2008: Technology is not the answer to compliance | Retail Information Security

Post a Comment