Compliance - A Necessary Yet Insufficient Test of Security
Brian Tokuyoshi - Product Marketing Manager
The PCI Data Security Standard brought the issue of data encryption to light for many organizations. It established a baseline for security practices that highlighted some of the things that best-of-class security organizations already knew, such as specifying the types of data that must be protected and how to avoid risky practices that could expose such information to unauthorized access. It was necessary because the card processing industry is extensive and there needed to be guidelines to bring all the participating companies up to spec.
Yet it still appears to be clear that there are lingering misunderstandings about what it sought to achieve. From the viewpoint of the industry, it is easier to understand its purpose, for it gives the credit card industry better assurances to its customers that all the companies handling personal information have met a minimum set of security standards. From the viewpoint of the organization undergoing the PCI audit process, the purpose does not seem to be universally understood.
For example, what about issue of responsibility? Clearly, the intent of PCI DSS was not to take the responsibility of providing security away from its memberships, and that its guidelines were measures of what they considered to be the starting point for a security practice. The auditor’s role is to ensure that member organizations measure up to the specification, but the auditor doesn’t necessarily go beyond the benchmark. That’s how it works from the industry’s viewpoint, but apparently to the audited company, that’s not always so clear.
CardSystems Solutions is a payment processor that experienced a data breach in 2004, even though it had passed a Cardholder Information Security Program audit (a precursor to PCI DSS). CardSystems Solutions is now seeking damages from its auditor. This case is actually more complex than it appears on the surface, with a number of fascinating issues about the business of auditing and compliance. This lawsuit could redraw the lines about the roles of each party (the auditor, the audited company, and the standards authors). It could also mean that auditors may need more liability insurance, which would drive up the cost of compliance even further.
Data breach notification laws, such as California SB1386, is actually a tougher benchmark than PCI DSS by being less specific (as opposed to more specific) about the required tasks. Data breach notification laws do not specify a course of action to meet compliance, but rather prescribe the penalty for the loss of data. It is clear and unambiguous that responsibility to protect data rests solely on the holder of confidential information. It changes the economics so that failure to properly protect consumer data becomes a financial risk to the company, and companies quickly ascertain that they must do whatever is required to keep data safe regardless of the audit "standards". There is no transference of responsibility, because as possessors of the consumer data, they must keep it protected. There is no auditor to sue or compliance standard to blame.
Whether it is compliance or data breach notification laws, the drive to protect consumer information is a good thing. It will be interesting to see how the CardSystems case pans out, because it will have a number of repercussions throughout the industry. Nevertheless, the fundamentals for data protection remains the same, and getting started on ensuring that information stays encrypted and building on top of a proper long term strategy for data protection is something that’s good for everyone.