This is a post I have been meaning to write for some while, as I have been pondering the benefits vs. challenges of various standards / legislation. I’m not thinking about challenges of implementing PCI-DSS (Payment Card Industry – Digital Security Standard), more the challenges of working in environments where compliance trumps security. As per the title, this post will focus on PCI-DSS, but I think it’s likely most of the issues will apply to various standards / regulations that are subject to compliance audits of some sort.
On the positive (blessing) side PCI-DSS is mostly a good standard, enforcing things like encryption in transit over public networks, separation of duties, minimising access to card data etc. It has forced some level of security practice onto companies that may previously have had relatively lax controls in place. The standard has also considerably raised the profile of security / meeting security requirements within many organisations.
On the negative (curse) side PCI-DSS is seen by many organisations as the be all and end all of security, despite the fact that is it the bare minimum you have to achieve in order to be permitted to handle / process card date. In addition it focuses almost solely on card data, ignoring concerns around things like PII (Personally Identifiable Information). This leads to a focus on ‘box-ticking’ compliance, rather than designing secure systems from the ground up which would by definition be compliant with most (any?) sensible standards.
With the movement towards a more continuos monitoring style proposed for the latest release of PCI-DSS the focus on obtaining compliance yearly may be something we are moving away from. However this will do little to address companies attitudes towards broader security and the belief that obtaining and maintaining PCI-DSS compliance means systems are completely secure.
On balance I think standards / regulations like PCI-DSS are a good thing as they force companies to at least achieve some minimal levels of security. The challenge for security professionals is to get project teams and the wider business to accept that these standards are the bare minimums. Considerably more secure designs / solutions need to be implemented if we want to actually meet our duty of care to our customers whose data we hold and process.
What are your thoughts?
How successful have you been in moving to security being ‘front and centre’ and compliance with regulations being a by product of this, rather than the focus being on compliance rather than security?