Since Target’s 2013 security breach, I have been talking to a lot of eCommerce clients, and the conversation always leads to Payment Card Industry (PCI) compliance. They ask, “What do I need to do to be PCI compliant?” The answer is, of course, is that it depends on what needs to be accomplished—to complete a checklist or to secure their clients’ data.
Why is compliance not secure?
First, it’s not secure for the same reason we laugh at the TSA for making us take off our shoes at airport security. We instinctively know that a terrorist will never again put a bomb in their shoe for as long as we walk in stocking feet. Attackers always have the first move and their only limit is their creativity. So while it’s important to use history as a guide for basic security practices, an individual planning an attack is also following those same guidelines as a way to determine what processes to avoid.
Second, compliance isn’t secure because employees and staffers are not typically a very security-minded group, since not only are most security practices inconvenient, many seem counter-productive. For instance, we train our teams to provide great service and that the customer is always right. An intelligent attacker will always be able to find someone in the organization who is willing to provide great service to anyone who asks, including an intelligent hacker.
Third, it’s not secure because asserting compliance requires an indication that the software applications that an organization depends upon are also compliant. In fact, there is a chain of assertions that is built on a level of trust that can’t be perfectly successful. Zero-day attacks, for instance, occur because vulnerabilities aren’t patched until the software developer discovers that their software has experienced a compromise—this is almost always after an attacker has broken into the system.
So what does it take to be secure in excess of compliance? A defensive posture can be taken when systems are designed and implemented to ensure that systems can fail safe. This includes defense-in-depth design, well-designed user interfaces, and aggressive exploratory testing in addition to full compliance with existing requirements.