I promised more comments regarding Mr. Robert Gezelter’s blog post entitled ‘Securitization: A Risk To Compliance Integrity’.
To paraphrase Mr. Gezelter, he indicates that compliance programs become irrelevant due to the fact that there is no provision for feedback into the compliance program that periodically adds new requirements and reevaluates existing requirements to ensure that they are still relevant or that they are updated to reflect new conditions. Mr. Gezelter is absolutely right about compliance programs remaining relevant as irrelevant programs no longer provide any benefit.
The PCI compliance program is kept relevant by the participating organizations, the card brands, the QSAs, the ASVs, the PA-QSAs, the PCI SSC and other relevant parties. All of these groups are charged with periodically reviewing the various relevant PCI assessment processes and making suggestions for additions, changes and deletion of requirements. The problem with this process is that with so many groups with their different constituencies involved, permanent changes can take a while to get published. However, this is somewhat addressed by the fact that the PCI SSC can issue ‘clarifications’ to the PCI compliance programs to address immediate concerns with the programs.
If there is a problem with the PCI compliance process it is that it is conducted as of a point in time although there are some requirements such as vulnerability scanning and penetration testing where a year’s worth of reporting is required. The problem with this is that the organization is compliant at the time of their assessment, but may not have been compliant at any other time. This typically confuses people because Reports On Compliance (ROC) and Self Assessment Questionnaires (SAQ) are required to filed annually. Thus most organizations assume that this implies that the assessment process covers the entire time between filings. Nothing could be further from the truth.
Since organizations are not likely PCI compliant all of the time, companies can suffer breaches even when they are supposedly PCI compliant. Even when organizations that are extremely diligent on their compliance they can still suffer breaches because there are still humans involved. It’s not until the forensic examination is complete after a breach has occurred that a company is actually determined to have been PCI compliant or not. Given the odds, I would say that most organizations for one reason or another are not compliant at the time of a breach. And given that security is not a perfect science, it’s also likely that the breach was not necessarily the result of not being PCI compliant.
In the end, I think the PCI standards are being kept up to date and relevant, so Mr. Gezelter’s concern there is unfounded. However, I do believe there is a gap in the compliance assessment process that gives organizations a false sense of security that if they are compliant, all is good all of the time. And that is just not the case.