Compliance is not security

Tim Holman comments on the latest card processing system breach:


Heartland Payment Systems (HPY) on Tuesday disclosed that intruders hacked into the computers it uses to process 100 million payment card transactions per month for 175,000 merchants:

http://www.usatoday.com/money/perfi/credit/2009-01-20-heartland-credit-card-security-breach_N.htm

I took a moment to see if they were PCI Compliant and they were audited in March 2008 by Trustwave:

http://www.mastercard.com/us/sdp/assets/pdf/Compliant%20Service%20Providers%20-%20January%2015%202009.pdf

QSAs cannot be held liable for customer breaches, but seeming the compromise occurred only a few months after their final audit it does bring into question PCI DSS auditing practices and whether or not they’re just ‘tick in the box’ or actually leave companies with a long-lasting compliance strategy that actually helps merchants/service providers remain compliant.


Yes, they are just tick in the box. If you look at a security certification audit (any kind thereof), it’s mostly hands-off process confined within a scope that leaves most of windows of opportunity out. And the auditors have no accountability for the ongoing business security. Corporate bureaucracies are magnifying the problems by resisting changes (and real security tests) originating from within the organisation, and putting most trust in the assorted audits instead. “Audit remediations” are getting more focus and resources than the real issues. In too many cases, internal security operations give up security and become compliance-driven. That is a recipe for trouble.


One might say that something is better than nothing. I reject that notion: it is better to do nothing than spend time and money on something that results in worthless certification, while security stays poor. HPY is yet another proof.