The Security Kitchen

A lot has been written on PCI in the light of the recent Heartland breach.  Unfortunately I was still setting up this blog when Heartland happened.

In my (more than) humble opinion the fact that Heartland was breached has nothing at all to do with the company being PCI compliant, but with the perception by its management of the need to secure critical information.  It is clear that this particular company took the following equation as a basis for their risk management :

Information Security Cost <= PCI compliance cost.

By doing that, the company made a critical error.  They needed to be compliant in order to be able to process cardholder data and they made compliance their end goal.

At the same time, I came to realize that a lot of people see a ‘PCI Compliant’ sticker as a statement that their infrastructure is secure.  It isn’t.  It’s basically the same as with any other certification.  Back in the day when ISO 900x was hot, every company made a procedural handbook.  Were procedures used all of the time ? The hell they were.  Every time the yearly review came around, hours were spend on re-learning the basics and special persons were selected and their answers prepared.  Sometimes everybody had to go and review the handbook again.  That is what compliance is about, retaining a quality label.

Basically, PCI in particular is a great effort in risk transferal by the CC industry. You have to commend them for that.

I like PCI, because to me it’s most basic role is raising and enforcing awareness.
Is it the only thing you should do ? No. Security, as we all know, is not a matter of checking boxes on a list. It’s also not a matter of implementing the next best firewall, IPS, SIEM or DLP technology. Security is a process and as such can never be certified, continuous improvement is paramount. Because it matters !

image under standard restrictions from http://www.sxc.hu