PCI-DSS compliance does not always guarantee security

PCI-DSS stands for Payment Card Industry Data Security Standard and is a worldwide information security standard overseen by the Payment Card Industry Security Standards Council. The PCI-DSS standard was created to help organisations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise.

According to Rueven Harrison, chief technology officer at Tufin, complacency is the IT manager's worst enemy, especially when it comes to IT security.

"This fact was brought home quite clearly at last week's Black Hat security briefings in Las Vegas, at which researchers revealed company after company - and technology upon technology - whose IT security could be compromised", he said.

Harrison added that, as witnessed by the comments of Douglas Merrill, former VP of engineering with Google at Black Hat, if senior managers can become frustrated with an IT architecture, then the same thing can happen further down the management chain.

And when that happens, he said, the firm becomes a breeding ground for IT workarounds that allow staff to work more efficiently, but also allow them to circumvent their own security systems.

As a result of these pressures, having systems in place that check any and all IT security configuration changes for compliance with corporate policies, he explained, is rapidly becoming a critical competent of an efficient IT security regime.

Harrison said that you can also expect to see these pressures to work more efficiently increase as the effects of the economic situation that many companies now find themselves in.

As a result, he said, you can begin to understand why, if a company is PCI-DSS compliant - as was the case with Heartland Payment Systems (earlier in the year) - they can still be hit by a data breach.

"Regulatory compliance and best practice certifications are excellent indicators of management quality, but when it comes to security, the acid test is whether multiple layers of security are installed, and are reviewed - as well as tested - on a regular basis", he said.

"This is what security lifecycle management is all about. IT security has now become a state of mind and needs a holistic approach if management is stand a chance of beating the security demons", he added.


What’s Hot on Infosecurity Magazine?