PCI Compliance Does Not Equal Security April 11, 2019
Many organizations design their IT security programs around the PCI compliance standards. The problem with this approach is PCI compliance standards focus only on the protection of payment card data without giving any consideration to the organization’s risk appetite, budgets, or business requirements. This is not to say the PCI compliance standards do not reduce risk – because they do. However, relying solely on the PCI compliance standards to secure sensitive business information including Personally Identifiable Information (PII) will leave security gaps in an organization’s overall security posture which could lead to a breach and result in expensive fines, increased audits, and brand damage.
The Compliance Pitfall
Many recent high-profile security breaches occurred at organizations that passed their annual PCI compliance audits. Countless organizations devote valuable resources to be compliant only to find themselves not secure. That’s because compliance standards like PCI are narrow in scope and slow to change while the threat landscape is constantly changing. For instance, PCI compliance standards permitted the use of weak cryptographic security protocols years after the security community reported them as being vulnerable to attack. Unfortunately, many organizations that built their IT security programs around the PCI compliance standards continued to use the vulnerable security protocol across their IT infrastructure because it was good enough for PCI compliance.
PCI SSC Guidance – Understanding the difference between compliance and security
“The PCI DSS security requirements are intended for the protection of payment card data, and your organization may have other sensitive data and assets that need protecting which could be outside of the scope of PCI DSS. Therefore, while PCI DSS compliance, if properly maintained, can certainly contribute to overall security, it should not be viewed as a replacement for a robust, organization-wide security program.”
PCI compliance is a one-size-fits-all approach to satisfy external requirements that does not reflect the unique needs of most organizations involved. For example, PCI compliance standards require organizations to have documented policies and procedures defining how IT management activities are performed. An organization could be deemed non-compliant if they are missing one or more of the many policies and procedures required to satisfy PCI compliance. Without question, policies and procedures are fundamental to every security program. However, missing or incomplete policies and procedures will not automatically make an organization’s IT infrastructure less secure.
The Secure Approach
The goals of both security and compliance serve to address risks. However, putting compliance above or even equal to security could expose organizations to unnecessary risks. Security is not just about having policies and procedures, up-to-date antivirus software, properly configured firewalls, and patched computer systems. It is about developing and maintaining a comprehensive approach that consistently and effectively addresses the ever-changing risks impacting organizations.
Designing and implementing an effective security program always begins with understanding the requirements of your organization and the associated risks. This enables people, processes, and technologies to efficiently work in harmony to ensure the confidentiality, integrity, availability, and accountability of the organization’s assets.
Remember, compliance does not equal security and security does not equal compliance. An effective security program coupled with a solid compliance strategy will make future compliance audits easier, save money in the long term, and protect your organization’s most critical assets.