Claiming PCI or any other compliance - daily

Are you really PCI compliant? Or just PCI certified? There is a difference, according to Michael Gough.

Let's be honest: Organizations follow compliance and regulatory requirements like PCI because VISA threatens to fine your company or worse, cut you off from credit card processing.

OMG! I would not be able to process credit card payments, it will cost me untold profit... OMG!

That is more like it, because we all know that if your organization is truly practicing on a daily basis good information security you would be compliant to PCI (just missing QSA certification of course), and you would most likely be in compliance with just about any compliance or regulatory requirements your organization might have thrust upon it.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Let's be honest: Organizations follow compliance and regulatory requirements like PCI because VISA threatens to fine your company or worse, cut you off from credit card processing.

OMG! I would not be able to process credit card payments, it will cost me untold profit... OMG!

That is more like it, because we all know that if your organization is truly practicing on a daily basis good information security you would be compliant to PCI (just missing QSA certification of course), and you would most likely be in compliance with just about any compliance or regulatory requirements your organization might have thrust upon it.

See also Why 41 Percent of You Would Fail a PCI Audit

If you follow and actually practice, perform and maintain a best practice, state of art, best of breed, call it what you will, information security program, you would basically be doing all the right things to become compliant if required. The difference between being secure and being compliant is an organizations maturity model. Practice daily good information security and you will basically be compliant (good maturity). Implement or improve information security for compliance requirements, such as PCI (bad maturity).

While I was at TRISC 2010 to present on "Cloud Security can be used securely", I listened to the ever entertaining Dr.Eugene Schultz in his keynote mention the PCI breaches involving TJX and Heartland Financial. We have all read the plethora of articles about the incidents, how they occurred and how much it cost the organizations and of course that they were both 'PCI Compliant' at the time. If you believe they were PCI Compliant, you would be sadly mistaken, but this is the first thing you hear people discuss. "But they were PCI compliant," is what you'll hear (Also read: Heartland CEO on data breach: QSA's let us down).

True, both TJX and Heartland had been PCI certified by a QSA at some point in time, but when did the incidents or breach occur? The day the QSA certified them? Of course not, they were compromised after they stopped being or practicing PCI compliance or when they stopped performing best practice, state of the art, best of breed information security, which I am guessing was only days after they obtained their PCI certification or after the QSA left. Remember certification is a point in time, the day you were assessed by the QSA in the case of PCI, is the day, or maybe a few days you were actually compliant, not weeks, months or a year later.

Why? Well it is simple really: TJX and Heartland both stopped monitoring their environments. How do we know? The initial incidents were not detected for roughly 17 months for TJX and roughly 7 months for Heartland. These companies were not actually PCI Compliant at all as PCI requires monitoring (requirements 10 and 11) and alerting to occur, every day, all the time, for everything, everything that is actionable security related events that is. Basically it means watch for malicious activity and automate it. This is where most organizations fail in audits and assessments I have performed over the years and of course TJX and Heartland did as well.