Compliance is not security

Tim Holman comments on the latest card processing system breach:

Heartland Payment Systems (HPY) on Tuesday disclosed that intruders hacked into
the computers it uses to process 100 million payment card transactions per month
for 175,000

took a moment to see if they were PCI Compliant and they were audited in March
2008 by

cannot be held liable for customer breaches, but seeming the compromise occurred
only a few months after their final audit it does bring into question PCI DSS
auditing practices and whether or not they’re just ‘tick in the box’ or actually
leave companies with a long-lasting compliance strategy that actually helps
merchants/service providers remain compliant.

Yes, they are just tick in the box. If you look at a security certification audit (any kind thereof), it’s mostly hands-off process confined within a scope that leaves most of windows of opportunity out. And the auditors have no accountability for the ongoing business security. Corporate bureaucracies are magnifying the problems by resisting changes (and real security tests) originating from within the organisation, and putting most trust in the assorted audits instead. “Audit remediations” are getting more focus and resources than the real issues. In too many cases, internal security operations give up security and become compliance-driven. That is a recipe for trouble.

One might say that something is better than nothing. I reject that notion: it is better to do nothing than spend time and money on something that results in worthless certification, while security stays poor. HPY is yet another proof.