NOTE: This article first appeared on LinkedIn.
While working with a not-for-profit organization to help redesign the technology that supports its members, a vendor was exceedingly insistent that their security was above reproach because the company’s systems were PCI-DSS Certified.
As I read about the security breaches at Kmart, Staples, Dairy Queen, Jimmy Johns, Goodwill, JP Morgan Chase, Home Depot, Albertsons, PF Changes, California DMV, Sally Beauty Supply, White Lodging (a franchisee of Marriott), Neiman Marcus, and Target, please excuse me if I am not impressed that your company is PCI DSS Certified.
If I could corner that executive today who would begin an answer with “PCI-DSS 3.0 requires us to…,” I would ask him that if his company and all of these others had to be PCI DSS Certified in order to accept credit cards, then how can I trust anyone associated with the payment card industry?
The Data Security Standard offered by the Payment Card Industry is the classic case of information security theater. It looks good because it talks about all the right issues, but it glosses over the fact that information security is a process and not something that can be used to bolt on to your system to make us feel better.
Information security is a process. It is not something that is checked off the list of requirements and tested a few times. You have to assess risks and adjust potential mitigations to those risks as they arise. Just because you passed that test today does not mean that it will protect you from the risk tomorrow.
Today, there was an attack on Parliament Hill in Canada’s capital city of Ottawa. As part of the reporting, it was noted that Members of Parliament (MP) from both sides of their political aisle had expressed concerns over the security of the area. One told a report that it was as if someone did not believe that the Parliament would be breached.
This sad story out of Canada is similar to the way companies treat computer security. They stick their heads in the proverbial sand and say that since it has not happened before it will probably not happen. Yet we see the lack of security concerns in all walks of our lives.
Recent information security breaches have been focused on theft. But how long will it be before these breaches go further? How long will it be before a hack causes malfunctions that will put lives in danger? How long will it be before these risks are taken seriously?
Security at Parliament Hill will change tomorrow. Unfortunately, it does not appear that the retailers in the above list will do much beyond what PCI DSS tells them to do. I hope it does not take injury or death to get PCI to stop putting a bandage on this open wound and start fixing what is wrong with their Data (in)Security Standard.