• United States



by Michael Gough, CISSP, CISA, VP of Capital of Texas ISSA Chapter

Claiming PCI or any other compliance – daily

Aug 11, 20105 mins
ComplianceData and Information SecurityGovernment

Are you really PCI compliant? Or just PCI certified? There is a difference, according to Michael Gough.

Let’s be honest: Organizations follow compliance and regulatory requirements like PCI because VISA threatens to fine your company or worse, cut you off from credit card processing.

“OMG! I would not be able to process credit card payments, it will cost me untold profit… OMG!”

That is more like it, because we all know that if your organization is truly practicing on a daily basis good information security you would be compliant to PCI (just missing QSA certification of course), and you would most likely be in compliance with just about any compliance or regulatory requirements your organization might have thrust upon it.

See also Why 41 Percent of You Would Fail a PCI Audit

If you follow and actually practice, perform and maintain a best practice, state of art, best of breed, call it what you will, information security program, you would basically be doing all the right things to become compliant if required. The difference between being secure and being compliant is an organizations maturity model. Practice daily good information security and you will basically be compliant (good maturity). Implement or improve information security for compliance requirements, such as PCI (bad maturity).

While I was at TRISC 2010 to present on “Cloud Security can be used securely”, I listened to the ever entertaining Dr.Eugene Schultz in his keynote mention the PCI breaches involving TJX and Heartland Financial. We have all read the plethora of articles about the incidents, how they occurred and how much it cost the organizations and of course that they were both ‘PCI Compliant’ at the time. If you believe they were PCI Compliant, you would be sadly mistaken, but this is the first thing you hear people discuss. “But they were PCI compliant,” is what you’ll hear (Also read: Heartland CEO on data breach: QSA’s let us down).

True, both TJX and Heartland had been PCI certified by a QSA at some point in time, but when did the incidents or breach occur? The day the QSA certified them? Of course not, they were compromised after they stopped being or practicing PCI compliance or when they stopped performing best practice, state of the art, best of breed information security, which I am guessing was only days after they obtained their PCI certification or after the QSA left. Remember certification is a point in time, the day you were assessed by the QSA in the case of PCI, is the day, or maybe a few days you were actually compliant, not weeks, months or a year later.

Why? Well it is simple really: TJX and Heartland both stopped monitoring their environments. How do we know? The initial incidents were not detected for roughly 17 months for TJX and roughly 7 months for Heartland. These companies were not actually PCI Compliant at all as PCI requires monitoring (requirements 10 and 11) and alerting to occur, every day, all the time, for everything, everything that is actionable security related events that is. Basically it means watch for malicious activity and automate it. This is where most organizations fail in audits and assessments I have performed over the years and of course TJX and Heartland did as well.

Recently I read Brian Krebs Blog on the Verizon Business Risk team report on 2009 Breaches. The report showed that 85 percent of breaches involved common configuration errors or weaknesses. Yup, you guessed it, that could be fixed with a software patch! Companies that are patch happy and have an “apply them now” mentality often were found not to have reviewed their log files in months. The same article sidebar titled “Of needles and haystacks” stated 86 percent of the breaches could have been prevented or detected if the organization actually reviewed their logs for unusual behavior or actionable security related events. This means actually alert on security incidents. Yup, PCI DSS requirements 10 and 11. We all know and can relate to this, it is like hiring a security guard at the front desk and they don’t actually check ID badges or watch for any nefarious behavior by ne’er-do-wells.

So this simple report from Verizon shows how a company that obtains some form of certification, usually because they are obligated or required, often fail as in the case of TJX and Heartland because they stopped performing good information security practices and thus falling out of PCI compliance the first day they stopped being proactive with monitoring and alerting. If theses organizations performed PCI Compliance daily, thus looked at some log report or alerted on actionable security related events, they would not have had the breaches they did.

If you practice real, proactive information security, then by default you will be compliant with almost any regulatory and compliance requirements. If you implement information security, like PCI, ISO, HIPAA, etc. To become compliant, you will never really ever be compliant because you do security to pass a test, not regularly practice, perform and maintain a best practice, state of art, best of breed information security program, thus being compliant.

Michael Gough is a Senior Risk Analyst for the State of Texas and host of With 20 years experience in technology and information security consulting for Fortune 1000 accounts, Michael has contributed to the Center for Internet Security (CIS) HP-UX, Windows and Wireless Benchmarks. In addition Michael has authored several articles for information technology periodicals around Skype and information security. He has authored two books from Syngress Press on Skype and Video Conferencing.