Home » Data Protection » PCI and Compliance

Compliance Complaints

Data breaches at Heartland and elsewhere lead some to suggest PCI DSS doesn't work. Editor Derek Slater says that's ridiculous.

IDC, a sister company to CSO, predicts that IT security spending will still grow by nearly 10 percent in 2009, and even faster in 2010. They characterize security as "the least likely area [in IT] to face cuts in response to the current economic crisis.

And we all know the main reason: regulatory compliance.

It would be fun to tell ourselves that years of awareness training and our evermore-sophisticated security metrics had gotten traction at last. But it's the law's long arm that is goading companies to keep their wallets open for security in this dreadful financial season.

California SB1386 may be the single most effective piece of legislation in this battle; that law (along with the versions it spawned in other states) hits CEOs right where it hurts, in the, "Don't show up on the front page of the Wall Street Journal" part of their anatomy. But in terms of influence, the requirements of PCI-DSS, the Payment Card Industry's Data Security Standard (do I really have to keep spelling it out?) are surely breathing the same rare air. PCI is, of course, not a government regulation, but an industry attempt at self-regulation.

The new year kicked off with a disclosure from Heartland Payment Systems of a data breach that may be the largest on record, surpassing the dubious record set by TJX Companies (more than 100 million accounts affected, according to data on privacyrights.org). Heartland processes more than 100 million card transactions every month, and the breach apparently went undetected for several months.

A huge breach so close to the core of the credit card industryÂ—that's disheartening. A bit of security industry self-reflection followed, as reflected by articles, blog posts, Twitter discussions, et cetera, all chewing over the question:

Does PCI work?

Some say the hack exposes PCI as irrelevant. Others retort that they've never seen a breach at a company that really was compliant.

Does PCI work? Silly question.

As BT security consultant Ben Rothke said to me, it's a little bit like looking at crowded prisons and concluding that we shouldn't have laws about violent crime because they don't prevent all violent crime.

PCI needs improvement? The PCI audit process isn't perfect? PCI compliance doesn't prevent all cybercrime? Well, color me "shocked, frankly, shocked," like Claude Rains in Casablanca. Everybody in the security field knows that regulatory compliance—or ISO guideline compliance, or compliance with anything—doesn't take all the risk out of business. You have to keep evaluating and improving every aspect of security. Threats evolve, so defenses must evolve, standards must evolve, legislation must evolve, individuals must evolve.