Compliance vs. Security: a thought exercise
This post will be substantively shorter than most…it, truly, is a thought exercise.
I was sitting in the office of a colleague last week and we were discussing the mantra that many of us who deal with PCI Compliance end up repeating frequently. The statement, depending on situation, goes something like:
PCI Compliance is, simply, a milestone event. True security is about risk management.
Or, if you prefer:
Compliance != Security
As we were discussing this topic*, I was thumbing through the QSA training guide that is issued by the PCI Security Standards Council. As we looked at the materials, the discussion took a shift and we began a thought exercise that has been tickling the back of my brain for the last week.
If, for a moment, we could assume compliance (as a milestone event) was always the outcome of a risk-based approach to security…what is it that you would do differently than that which is mandated in the PCI requirements? What is it that the compliance process prevents, or inhibits, you from implementing as a risk-based control?
What’s your perspective? Agree? Disagree? Anything to add? Critiques? The comment form is below…
* Yes, this was done solely for enjoyment. We are just that into payment security…
December 16, 2009