Security and PCI-DSS Compliance

The question of whether compliance makes your networks secure often comes up when performing Payment Card Industry (PCI) Data Security Standard (DSS) remediation and audit work. Many believe that compliance with the PCI-DSS means their networks are secure from exploitation. Unfortunately this is not the case. Passing an independent PCI audit usually indicates reduced vulnerability for those PCI related areas tested, however the PCI segments are usually a small portion of the overall networks.

The payment card industry has one goal in mind and it is not to protect or provide security for your network. Their goal is to protect credit card and card holder data. They do this to limit their potential liability and transfer responsibility for that liability to the entities that provide, accept, use, store or transfer credit card and card user information. That is almost all businesses and many institutions here and around the world.

The requirements for PCI compliance are detailed and cover many aspects of businesses that touch credit cards from policies to network design and implementation, to the business relationships that may share credit card or card holder data. The technical requirements covering the physical and logical protection of this information can be daunting. There are over 280 individual audit points that must be addressed. If they are all addressed properly, then your business is compliant with the PCI-DSS standard, but are you secure?

The short answer is no.

Are you on the way to being secure? Maybe.

This is where a little philosophy comes into play. Compliance is meeting a set of requirements at a point in time. Compliance is usually associated with a standard or regulation that has specific measurable goals and requirements for an area of interest such as credit data, health care data, personal information, etc. Security is a journey through a changing landscape that is never completed and often lacks measurable specifics.

The vast majority of companies will do whatever it takes to become compliant, but few are willing to invest in becoming truly secure. Compliance is finite; it is a stake in the ground. Security is illusive requiring constant adjustments and investments and in the end, you may be more secure than when you started, but you still aren’t secure.

Many companies decide to stop at compliance. It doesn’t have to be that way. Compliance will never equal security however compliance can be generalized to improve overall security for your business. The key is adopting those elements that can be applied efficiently in a broader environment. Standards such as the PCI-DSS are a great start down the path to security, but it’s only a starting point.

PathMaker Group, a PCI QSA qualified company, provides a broad range of PCI specific and other security consulting services as well as identity management implementation and support.