"Is it safe to continue shopping in your stores?
We have continually devoted significant round-the-clock resources to ensure Hannaford has comprehensive data security systems in place. For example, our security measures meet industry compliance standards and many go above and beyond what is required by industry standards."
Are they alluding to PCI here? I think so ... So, is this a PCI failure? Or this is simply a reflection of the fact that you CAN be 0wned, no matter how many compliance hurdles you overcame....?
4 comments:
The core issue is confusing "compliance" as "security".
Furthermore, "compliance" can negativity impact "security" as it reduces focus to the controls specified for "compliance" rather then the holistic view of "security"
Very true - however, I REALLY hope that such situations (where compliance efforts decrease security) are rare...
@Anton,
There are actually two distinct but related issues with PCI:
1. "security" is not "compliance"
2. "compliance" decreases "security"
I have referenced the first point above (as it was most relevant to your Post).
However, it is important to consider the second point which I believe you may also be alluding too?
>1. "security" is not "compliance"
Yes, that was kind of established already.
>2. "compliance" decreases "security"
This is the fun part: I would love to see more REAL examples where it actually happened. E.g. dollars spent on writing up docs (hi, FISMA :-)) while admins had passwords of "password" and exposed IIS 4.0 to the Internet...
Post a Comment