There was a posting made recently on the SPSP Forum stating, “The PCI standards are all about compliance, not about security.” This is a complaint I hear often, not just about the PCI DSS, but about other standards as well. However, I would argue that compliance with the PCI DSS has everything to do with security.
I think people confuse compliance with absolute assurance that activities are performed. Compliance is defined by Webster’s Dictionary as “conforming to a regulation.” In this example, the PCI DSS is the regulation and the card brands are requiring your organization to conform to the PCI DSS. Compliance does not imply assurance, which is defined as “a guarantee.” As I continue to tell you, security is not perfect, so absolute assurance is never a possibility.
Technical people typically do not have the best relationship with executive management, so their recommendations for better security typically get ignored. As a result, security does not have as high a posture as it should have in many organizations. In addition, in many cases, technical people are great at configuring the technology, but fail to monitor and follow up timely on changes and issues with the technology. How many times have you heard the statement, “Yeah, we get lots of those alerts. But we know they are all false positives, so we just ignore them.” What that says is rather than fix the problem we just ignore it. Because it is highly likely that in amongst all of those alerts, a real alert is ignored and that may be the difference between being secure and being breached. It is these sorts of issues that an assessment brings to the surface.
I also think the people that throw out the “compliance is not about security” statement are threatened by the “witch hunt” that some assessors and auditors conduct. Security people may also view the assessment as a threat to their expertise and judgment. In some cases, they may fear that they will be shown to be not as competent as they are currently perceived. Any assessment should never be a “witch hunt,” although, unfortunately, a lot of executives and their reports see it that way and, in some cases, executives use it in that way. An assessment should be an honest appraisal of an organization’s security policies, standards and procedures and how well they are implemented and followed. We are all human, so an appraisal will always find areas where policies, standards and procedures are not operating properly. It is those areas where improvements need to be made to better ensure that security holes do not develop or are closed. Assessments should be an opportunity to improve the organization.
I think many people that are using excuses are looking for a standard that dictates to them what they need to do. That way it is the standard’s fault, not theirs, when a breach occurs. Many people complain that the PCI DSS is not prescriptive enough. I say to these people, if the PCI DSS told you that only Cisco ASA or CheckPoint firewalls were allowed, you would then complain that the standard was not flexible enough. All security standards were developed to allow for the use of a variety of security technologies and solutions because what works for one organization, may not work for another. One solution does not fit all and never will.
The requirements in the PCI DSS are a collection of security best practices. How would complying with the PCI DSS not be about security? In order to comply, you need to implement and maintain proper security. In the end, I think people that make such statements are making excuses for their own shortcomings rather than owning up to them and doing their best to correct them.
PCI Guru 
1 Response to “It Is All About Compliance, Not Security”