Why PCI Is NOT Security (Part 3).
The Perfect Storm.
Next we dig into the deepest darkest recesses of taking a totally compliance-based approach to information security (rather than a holistic one) - our 'worst-case scenario' if you will.
Let’s say that you’re in an organization that is solely focused on PCI compliance. The word ‘security’ is rarely, if ever, used in conversations – it’s all about achieving compliance – getting your check marks – and going about your day. Let’s add to this the likelihood that what little PCI work that is being done only happens within a few months of the assessors coming through for their assessment. Now you have what I’d call a perfect storm.
The company has almost no security in place. What little it does have is strictly focused on securing cardholder data. Even then, the controls used are implemented with the absolute minimums in mind – only doing that which is necessary to sign them off as compliant. For 8 to 10 months out of the year, these controls fall by the wayside and get little to no attention. A couple of months before the assessors show up, everyone gets together and begins preparing the magic show – getting all of the smoke and mirrors ready.
Answer me this question? Would you use your credit card to make purchases from this company? Would you recommend that your family and friends use theirs?
I’ll say it again: PCI is NOT security – PCI is a subset of security just like SOX, HIPAA, GLBA, an array of state breach notification laws, and several other legal, regulatory, and contractual obligations are.
If I were to try and come up with a simple statement on the security value of PCI, I’d have to characterize it as a “static set of controls to address a dynamic set of problems within a borderless complex system”.
Notice a few things here…
- PCI is a static set of controls – it’s only updated once every few years.
- Security is about a set of dynamic problems – security is ALWAYS a moving target that we can barely keep up with on a daily basis.
- Security deals with borderless complex systems – the environments we work to secure are indeed complex systems, but when you add that the network perimeter is largely gone in today’s mobile computing environment, we’re all taking part in one gigantic complex system that no one really owns or controls.
So where does this leave us if PCI is all that's being used?
(Click here to read the full series)
