Friday, September 4, 2009

PCI, Compliance, and Security

[I am occasionally contributing to the Corporate Overlords' blog, including a version of the post below.  I am posting a version here, too, because the snark level on the official version was a bit low for my tastes].

Some people seem to be confused about compliance- some hate it, a few like it (I worry about these), and some really like to argue about it, especially when it comes to PCI-DSS.  PCI-DSS is the much-maligned Payment Card Industry Data Security Standard, a set of requirements for companies which process credit card data.  Full documentation is available from the PCI website.  The standard is currently 72 pages, not a quick read- and that may be part of the problem; an amazing number of people like to argue about it without ever actually reading the beast.  But then again, facts only serve to screw up a perfectly good uninformed rant.

I believe the root problem is that many people confuse being compliant with being secure.  While they may be complimentary goals, compliance and security are very different.  Being compliant with a "security" standard or regulation does not make you secure, and it's approaching the problem from the wrong direction- focusing your efforts on being secure, then aligning with your compliance requirements will result in a more secure, sustainable, and affordable environment.

Even people who should know better have been confused by this (or lied and claimed to be confused); recently Heartland CEO Robert Carr said in an interview with CSO Online that he believed PCI compliance meant that Heartland was "secure".  We all learned that Heartland wasn't secure when they suffered the "Largest Data Breach Ever".  The reactions to Mr. Carr's comments were strong and swift, Rich Mogull and Mike Rothman were among the many people who took exception to Mr. Carr's statements about compliance and security- and eloquent though their responses were, the controversy Mr. Carr's comments sparked only serves to highlight the problem.

Part of the confusion comes from the different security postures of organizations before they begin their compliance programs.  For a company with poor security and a lack of organizational awareness of security standards, becoming PCI- (or whatever)- compliant can introduce many positive changes and dramatically improve the overall security of the organization.  On the other hand, if an organization already has a well established and effective security posture, becoming compliant should be fairly easy, BUT, it could result in losing focus on security as attention shifts to compliance.  Worse still, if an organization has done a thorough risk assessment and focused their efforts accordingly, some regulations may require them to divert resources to addressing requirements which are not aligned with actual risk to the organization, effectively reducing their security.

Another problem with compliance is that while most security professionals understand that regulations define the minimum security standard, many outside of the field believe that compliance is all that you need to do to be secure- thus confusing a security baseline with a finish line.  Or, maybe they don't confuse them, but a scrap of paper gives them cover to say they have done "enough".

In the absence of standards and regulations it is often easier to grasp that security is a process, not something you "are" or "aren't", and should be tailored to fit the situation.  Unfortunately, it is also common for organizations to neglect security unless they are required to comply with some regulations or laws.

Finally, complaining about PCI, HIPAA, or any other regulation doesn't change the fact that we need to comply.  Go ahead and work to change the laws or regulations you find onerous- but complaining is no substitute for an ongoing assessment of your environment, securing it as appropriate, and mapping your security posture to meet compliance requirements.