Compliant Does Not Equal Secure.

On the 30 March Global Payments Inc. announced that it had suffered a data breach that had led to the Track 2 (i.e., the primary account number, expiration date, service code, PIN and CVV number) data of approximately 1.5 million credit cards being “exported” from its North American payment processing system.

There is still very limited and contradictory information surrounding how the perpetrators compromised the payment processing system and who actually discovered the breach. However one fact is clear, Global Payments Inc. was compliant with the Payment Card Industry Data Security Standard (PCI DSS) when the breach occurred.

Although there may be other lessons that can be learnt from this the event if or when additional information is published the only one that can be drawn at this point in time is Compliant ≠ Secure (or Compliance ≠ Security if you prefer).

So what does this breach actually mean for organisations that must be able to demonstrate compliance with PCI DSS (or any other compliance standard for that matter)? Well it does not mean that standards such as PCI DSS cannot provide a useful framework for developing a structure for securing information. But overall it’s simple really. You need to actually manage the information security risks that you are exposed to, rather than merely demonstrating that you are able to meet your compliance obligations. That way you will at least be able to demonstrate that you had an appropriate controls in place should a breach occur.