Is PCI still relevant? Some are proclaiming that PCI is irrelevant due to the recent, high-profile breaches. David Mortman disagrees, and I’m on his side.
In his Data Security Best Practices for PCI DSS Compliance post, he notes that the “problem isn’t that PCI doesn’t work. The problem is the perception that if a company is PCI compliant, it is secure and will never suffer a data breach.”
That perception is real, and the further you look up the executive ladder, the more frequently you’ll find this perception. The processes and safeguards that PCI, SOX, and other regulations require are usually just Risk Management 101 efforts–a baseline.
Baselines define the boundaries in which the game is played. How many baseball games have you watched where they played only on the baselines and ignored the rest of the field?
Furthermore, if a company is treating compliance as a checklist item, the less likely those baselines are going to be effective in determining when a transaction, process, or employee has wandered into foul territory.
Companies that meet compliance requirements, even those “checklist companies,” have improved their security and risk management standing. If you don’t believe this, ask your internal auditor how much additional fraud has surfaced–not only because of internal audit’s testing and monitoring, but due to employee whistleblowing–since SOX and other regulatory initiatives appeared.
Security has been tightened at these same companies–we know this because you and others have called the help desk and complained. If tighter security is causing legitimate users some pain, it must also be preventing others from accessing inappropriate data, making authorized configuration changes, etc.
PCI-compliant companies, Mortman says, should consider improving their baselines in the following areas:
- Data leak protection and traffic analysis
- SNMP, by using v3.0 with encryption
- Backup media-tracking processes and procedures
Read Mortman’s post here.
Final thought: Before PCI, many companies didn’t even play on the baselines, much less in the field of security.
This is a guest post by Skyyler.
ITauditSecurity 