Does Compliant Mean Secure?

Statistics show that identity theft and financial fraud are among the fastest-growing crimes. Recent headlines reveal a litany of data breaches that have left merchants dealing with major public relations fallout. Retailers continue to invest time, money, and resources into strategies and technologies that help them become compliant with the Payment Card Industry Data Security Standards (PCI DSS). However, the main issue that arises from this singular focus on compliance is that many companies are led to believe that compliant means secure.

History shows that PCI was designed by Visa and MasterCard as the common industry standard for data center, network, and infrastructure security requirements.  Later, Visa established the Payment Application Best Practices (PABP) to address security and the risks associated with varying payment applications like POS or property management systems (PMSs). While compliance with the PABP is not mandatory, it is strongly suggested that companies undergo an assessment against the standard. However, just because a merchant purchased a validated PABP-compliant POS system, it does not necessarily mean that PCI compliance was met.

In order to understand fully the difference between compliant and secure, it is necessary to visit the definitions of the words. Stripped even of its regulatory context, compliance means "meeting or adhering to an existing goal or objective." This notion is significantly different from security, which has been defined as "a measure taken to guard against a threat or vulnerability." The goal of security is to mitigate the risk to the organization. It is clear upon definition that it is possible for an organization to be compliant, but not necessarily secure.

Similarly, it is conceivable that an organization could be secure without necessarily being compliant. If a company encrypts all personally identifiable information, the data may be considered secure, assuming it addresses the risk posed to the data and proper key management. The encryption of personal information might lead one to consider the company secure even without the benefit of information security training for the entire staff, which is a required element of PCI. In this instance, a company that operates in a secure manner would likely be grossly noncompliant with the PCI.

Today's businesses require a proper melding of the concepts of security and compliance. The standards and laws are purposefully broad to provide guidance on the issues, without detailing the specific manner in which the objective is to be met. It is, therefore, left to the organization to determine how to balance the demands of regulatory compliance with the need for a comprehensive information security program. In this era of regulation and litigation, it is likely prudent to err on the side of caution, implementing controls that are identified as necessary by a risk analysis, as opposed to simply meeting the minimum requirements of compliance. 

The frequency and magnitude of breaches continues to raise awareness of the need for information security, beyond simply being compliant. It is important to remember that information security pertains not just to the information, but also to the information systems that process and store that information. If the network is breached and employees are unable to access the systems, the information security posture of the company has been compromised. As the public becomes increasingly aware of information security, successful security evaluations will likely have a greater impact on consumer confidence while helping all retailers maintain compliance and protect their brand image and bottom line.