By Matt McKinley, U.S. director of product development, Stonesoft
The MSP Alliance welcomes a guest post from Stonesoft, Inc. (www.stonesoft.com), a global provider of network security solutions to MSSPs, enterprises and government organizations.
It’s been two weeks since Global Payments, Inc. reported a data breach impacting as many as 1.5 million credit card accounts. While executives have reported that no known consumer fraud has occurred, many specific details, including timing windows, have not been released at the time of this post.
Avivah Litan, VP and Distinguished Analyst at Gartner Research, shares a few thoughts on her blog:
Sounds like there’s a lot more going on out there than the payment industry and law enforcement have nailed down and are prepared to talk about.
In the meantime, Global Payments who was PCI compliant at the time of their breach is no longer PCI compliant – and was delisted by Visa – yet they continue to process payments.
What’s the takeaway on PCI? The same one that’s been around for years. Passing a PCI compliance audit does not mean your systems are secure. Focus on security and not on passing the audit.
I couldn’t agree more with Avivah’s closing remarks. In many ways, PCI compliance is engineered for disaster. First and foremost, any time you establish a bare minimum for security, the focus becomes on passing that standard rather than creating a living, breathing process that keeps up with sophisticated threats. Companies spend billions of dollars a year to tailor their security strategy to be PCI compliant. One has to wonder how much budget is left over to protect against the unique, evolving security threats facing their network.
Secondly, PCI audits are only as good as the people giving them. This isn’t a jab at competency, by any means. It’s simply an observation of the inevitable human errors that occur in security. Just because an auditor doesn’t find a network security hole doesn’t mean one isn’t there.
As vendors and MSPs, it’s our job to educate our customers on the realities of PCI compliance. While important (and, for many, required), it’s only one piece of a network security strategy that operates as a process. When it becomes THE end-all be-all checklist, it becomes a risk.