Tuesday, March 10, 2009

More on “Compliance First!”

I was about to post this back in January (!), but then Heartland blew off (coverage of the Heartland processor breach: On Heartland I, II, III and IV) and now it seems like ancient history. Still, I think one can say that the Heartland case shed some new light on the problems I covered in my “Making PCI Easier” and “Compliance First?” posts.

So, these were the  responses:

  • Risktical’s  Making PCI Easier – A Reality / Health Check (“This post is more focused on merchants or processors making PCI compliance easier for themselves. My thought process is that if merchants can make some aspects of PCI compliance easier on themselves – then there is a reduced need for relying “so much” on QSAs and less heartache around PCI-DSS in general.” – the post is also full of other comments useful for those dealing with PCI DSS “in the trenches”)
  • RiskAnalysis.is’s Using The Compliance Stick Actually Weakens You   (“WHY PRESCRIPTIVE COMPLIANCE WEAKENS OUR INDUSTRY. […] Using prescriptive regulatory compliance to “get your way” removes your ability to be that [A.C. - see full post] consultant.  So you don’t help make good decisions and therefore, in the eyes of management, have yet to earn the right to make the decisions you feel you need to make.   In the long run, you turn into the “guy who manages our PCI stuff”, and your value is limited to doing just that.  And therefore, so is your budget, your ability to execute, and ultimately, your “security”.” – a good argument that debates my points; in fact, I agree with it – BUT only in the context of a mature risk/security management program, not small ignorant company…)
  • Infosec Ramblings’s Interesting Information Security Bits for 01/15/2009  (“Compliance does not equal security. Never has and never will.” – just a useful reminder!)

  • Martin’s “Security first” please! (“While I’ve only heard of one concrete example of a situation where PCI caused a company to actually become less secure than they were before, I’ve seen multiple examples of company’s that were concentrating so hard on meeting compliance deadlines that they ignored any security measures around their network that weren’t directly related to PCI. ”  - his post expands this discussion, he also picks on my second point [see comments below this post])

And, finally, some news from the Delusion Dept: some people somehow still think that “compliance=security” (yes, really!)

There you have it – thanks to all who commented on these posts; hope they were useful to deepen our understanding of this whole conundrum…

BTW, in my next post, I will address a common misconception that “a PCI scan is a pussy scan.” :-)

Possibly related posts:

Dr Anton Chuvakin