The recent Heartland Payment Systems data breach is another lesson in the difference between following the rules and getting it right. But it might also be a case of the rule-makers protecting their turf.
The PCI DSS regulations are the way that an association of credit card companies and financial institutions try to ensure private companies maintain security of clients’ payment information. Merchants that process credit card transactions have to do things like building and maintaining a secure network (which you’d probably want to do anyway, regulation or no regulation). Otherwise, if problems crop up, they get fined by the PCI Security Standards Council.
Heartland says it was PCI DSS compliant when a breach was discovered and maintains that because they were following the rules, the breach was a lot less serious than it could have been. Here’s the problem: a Visa’s Deputy Chief Enterprise Risk Officer Adrian Phillips suggests Heartland may not have been compliant, since “we’ve never seen anyone who was breached that was PCI compliant” (Bank Info Security).
It sounds like the regulator is concerned that some will get the wrong idea that if Heartland was in fact PCI compliant and it had a breach anyway, that means PCI is less than useful. That’s silly, since responsible companies understand that PCI regulations are mostly what they should be following at a minimum anyway.
There’s nothing stopping companies from going further than what’s called for in the regulations, and many companies do. And either way, obtaining the minimum standard or going beyond it, companies and regulators must understand that there is actually no way to make a real-life company 100 per cent secure. The best we can hope for is mitigating risk.