PCI DSS 1.1 victims of the Compliance Culture- be less than you can be
In a recent PCI Webinar hosted by Imprivata software and Forrester Research, Khalid Kark mentioned that there is still a lot of confusion regarding which merchants need to be PCI DSS 1.1 compliant. He said (and I quote):
“The rule of thumb is this: If you house credit card information, in whatever form, if you house the information in your server-the server that you own or you added-then you are basically responsible for complying with PCI DSS,”
He also said:
“In general, compliance is 100 percent, but it’s a certain point in time, so if you are compliant today, it doesn’t necessarily mean you will be compliant tomorrow".
Mr Kark grants legitimacy from his position as a Forrester analyst that the ultimate business objective is 100 percent compliance.
This is fallacious for a number of reasons starting with the fact that it is impossible to be 100 percent compliant with this standard. However, the real issue is that compliance does not contribute to improving business performance. The business needs to take a step back and assess what needs to be done in order to protect the business digital assets at a lower cost than the consultants are quoting. A business lives in a performance culture whereas regulators (and apparently most industry analysts) live in a compliance culture.
In the compliance culture
- I comply with the standard.
- I am told the standard. If I am not told, I don't act.
- The standard is my objective.
- When I meet the standard, I am done.
- My job is to optimize risk -- to perform.
- A standard is a baseline. I use practical threat analysis to exceed it.
- Meeting a standard means little. I continuously improve.
