Given the presence of yet another very high-profile data breach from a supposedly PCI-compliant organization, many have begun to question the purpose and usefulness of PCI DSS and other similar regulations. There is a valid argument here, but let’s consider the purpose for these regulations.
PCI and all others are meant to be a baseline set of due diligence operations taken by organizations to ensure the safety, security and privacy of their users, clients and consumers. No compliance standard ever written is good enough, as it is intended to ensure that companies who haphazardly and dangerously risk the identities, credit and livelihoods of consumers can be punished.
As a baseline these regulations can never adequately protect organizations from malicious individuals who -in most cases- are smarter than those they are attacking. Used as a primary measure for security operations, relying on PCI DSS alone simply will not prevent data breaches and is not a recommended approach to security.
Some organizations that I have talked with recently have taken this to the extreme of ignoring PCI altogether, citing that the needs of their business are more important than the need for compliance. Let’s face it, depending on the organization and the level of compliance mandated, the certification process can be costly in terms of dollars and focus, so I understand the concern here. I do not endorse or recommend this course of action, but I applaud the organizations’ understanding that PCI compliance does not equal security.
If we must live with PCI, let’s live with it for what it is for–a baseline framework to oversee minimum due care. If we truly care about security and protecting our data from breaches, compliance must be a part of our overall security plan, or even completely separate if possible. There simply will never be any governing body anywhere that can write a standard that adequately addresses the security requirements for all organizations.
For anyone interested in tracking data breaches, visit www.privacyrights.org. You’ll be surprised just how many data breaches have occurred this year already, and many from PCI-certified shops.