Stop Confusing PCI Compliance With Actual Security

To this day, people are surprised when an organisation is breached after having achieved PCI compliance.


The SSC has never claimed that PCI compliance ensured the protection of cardholder data, especially when you consider most organisations don’t DO PCI compliance for security, they do it to get their acquiring banks off their backs. All the SSC have ever claimed is that it helps, and it does.

Security is not about being impenetrable, that’s impossible, it’s about knowing your two main enemies; thieves and ignorance.

Thieves are lazy. In fact, I’d go as far as to say that laziness, more than a desire to be bad, is the leading driver behind computer crime. This drives them to steal first what is most easily available; the so called low hanging fruit. So to avoid thieves, just have YOUR fruit higher up the tree. That’s what PCI compliance does, and that’s all.

As for ignorance, my absolute favourite phrase right now is;

You are not entitled to your opinion. You are entitled to your informed opinion. No one is entitled to be ignorant.
― Harlan Ellison

Information Security Policies and Security Awareness Training are SUPPOSED to cure all employees of their ignorance as it relates to the protection of data in their possession, and they would if they were taken seriously. They are not. Policies provide the dos-and-don’ts, training provides the why and wherefores, neither of which are given due care and attention.

Now combine those 2 and you can see why achieving PCI compliance means little to nothing if it’s not done PROPERLY! Even then, it will always fall short.

I have stated several times in my blogs that ALL compliance would automatically spit out the back end of a security program done well, and I have even defined what that is in my Security Core Concept series. The 5 people who actually read them will understand the following, but for the rest, here’s 4 reasons why PCI compliance does not mean security;

  1. It does not start with a risk assessment relevant to YOUR organisation. The controls of the Data Security Standard ARE the risk assessment. Even if you were to perform your own at the beginning of your compliance project, you still have to do everything the DSS says as there is no ‘residual risk acceptance’ in PCI.
    It is FAR more difficult to implement the PCI DSS controls as stated, than it is to implement the controls relevant to your business. Which is why it is never done properly.
  2. The focus of the DSS policies and procedures requirements is the paperwork, and not the enforcement OF those policies. Having polices is meaningless if they are not read, understood, and followed.
  3. Once a YEAR validation of compliance is as pointless as hub-caps on a tractor. Yes you are responsible to maintain your compliance throughout the year, and yes the DSS includes change control as a requirement (barely), but how exactly do you maintain compliance when the DSS provides no context or framework for a sustainable security program?
  4. Let’s take an actual control, logging; There is no PCI requirement for centralised logging (10.5.3 – “or media that is difficult to alter.”) meaning a daily retrieval will suffice for the daily review (10.6.X), which in turn can be manually performed. Show me how you can possibly perform adequate incident response in an environment that does not real-time stream logs to a centralised location that then performs the following automatically, and I’ll wash the crow down with a healthy serving of humble pie:
    – Real-time alerts based on ‘never-see’ events from every system component.
    – Real-time alerts based on violations of ‘threshold’ events baselined from every system component.
    – Alerts based on violation of ‘trending’ patterns (you have a year’s worth (10.7.X), use them).Logging is the core of incident response, which is the only way of preventing a security event from becoming a business crippling disaster. Logging is not just a collection of events to be used for in a forensic investigation.

Bottom line; PCI compliance is nothing more than an attempt to protect cardholder data better than it was done so previously, and in that it has only succeeded in the organisations who focused on security not compliance.

Everyone else threw good money after bad and kept the thieves from having to find their next low fruit.

[If you liked this article, please share! Want more like it, subscribe!]

5 thoughts on “Stop Confusing PCI Compliance With Actual Security

  1. “Risk Management” is one of the worst things to happen to information protection ever.

    It allows people and companies to rationalize “Who could ever figure that out? Our own people don;t know how it works. No hacker is going to figure it out!”

    You can talk about “risk assessments” all you want but everyone knows that Wyndham did their own version of risk assessments and rationalized their way out of doing anything until it bit them in the butt.

    And what was the basis of the Wyndham court case? That the FTC was not prescriptive enough. The FTC didn’t tell them what to do. And yet PCI does exactly that. It tells people the less-than-minimum that they need to do and they still won’t do it.

    • Thank you JJ, but the same could be said for any process. Crap in, crap out. EVERYONE peforms risk management on a daily basis; cros the road, don’t cross the road. Eat gas station sushi, or don’t, and so on. Any organisation that does not perform risk managaemnt or the risk assessment properly are idiots and deserve what they get, but the concepts themselves are still sound.

      • Very true but with one major difference:

        “EVERYONE peforms risk management on a daily basis; cross the road, don’t cross the road. Eat gas station sushi, or don’t, and so on.”

        are all risks where personal accountability is implicit because the risk is to the person doing the assessment.

        “Any organisation that does not perform risk managaemnt or the risk assessment properly are idiots and deserve what they get …”

        When the risk assessment is “Almost any risk is acceptable until it happens to us.” what the “idiots” get are raises, promotions and bonuses. And it becomes someone else’s mess to clean up.

      • Yes, indeed. Thank you for taking the comments the way they were intended.

        A local lawyer/infosec guy was giving a presentation on the stages of an executive who owned the world and then experienced a breach, and asked me to review it. At first the exec was impeccably dressed. As the stages of the breach wore on the fellow portraying him got progressively shabby and unkempt. The last slide was of the former exec behind bars wearing a jumpsuit, haggard beard and a forlorn look in his eyes. I suggested that he add one more slide, so he did.

        The exec was shown standing outside a large glass office building, dressed to kill, hair dyed to remove the grey, with a Mercedes to one side and a tall, willowy young blonde on his arm on the other side. The sign on the entranceway read:

        “Data Breach Consulting and Remediation LLC”
        “Because real experience matters”

        Yeah, it was a smash hit at both tech meetings and the local bar association. 🙂

If you think I'm wrong, please tell me why!

This site uses Akismet to reduce spam. Learn how your comment data is processed.