CIOZone.com - Professional Network for CIOs and IT Professionals

Given the presence of yet another very high-profile data breach from a supposedly PCI-compliant organization, many have begun to question the purpose and usefulness of PCI DSS and other similar regulations. There is a valid argument here, but let’s consider the purpose for these regulations.

PCI and all others are meant to be a baseline set of due diligence operations taken by organizations to ensure the safety, security and privacy of their users, clients and consumers. No compliance standard ever written is good enough, as it is intended to ensure that companies who haphazardly and dangerously risk the identities, credit and livelihoods of consumers can be punished.

As a baseline these regulations can never adequately protect organizations from malicious individuals who -in most cases- are smarter than those they are attacking. Used as a primary measure for security operations, relying on PCI DSS alone simply will not prevent data breaches and is not a recommended approach to security.

Some organizations that I have talked with recently have taken this to the extreme of ignoring PCI altogether, citing that the needs of their business are more important than the need for compliance. Let’s face it, depending on the organization and the level of compliance mandated, the certification process can be costly in terms of dollars and focus, so I understand the concern here. I do not endorse or recommend this course of action, but I applaud the organizations’ understanding that PCI compliance does not equal security.

If we must live with PCI, let’s live with it for what it is for–a baseline framework to oversee minimum due care. If we truly care about security and protecting our data from breaches, compliance must be a part of our overall security plan, or even completely separate if possible. There simply will never be any governing body anywhere that can write a standard that adequately addresses the security requirements for all organizations.

For anyone interested in tracking data breaches, visit www.privacyrights.org. You’ll be surprised just how many data breaches have occurred this year already, and many from PCI-certified shops.

Comments (3)

	1. 01-29-2009 21:40
	Excellent points about making PCI compliance a baseline for security and not the final answer. Interesting to note that a study released today warns businesses risk losing $1 trillion to data loss or theft:  http://www.ciozone.com/index.php/Reuters/Businesses-risk-$1-trillion-in-data-loss-study.html Registered

This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

	2. 01-29-2009 22:05
	I started writing a comment but it was too long so I blogged it at http://www.ciozone.com/index.php/mamblog/view/2678/.html Registered

Andrew Baker

	3. 01-29-2009 22:56
	Idea is to have security as process and in larger perspecitve than only with the objective of compliance. Many times security procedures are not followed in letter and spirit on ground but for creating evidances for compliances. No need to reiterate that its must be intervoven in business processes and need consistent approach. Registered

This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

Only registered users can write comments.
Please login or register.