Compliance ≠ risk management or security

Who hasn’t heard about the Target/Neiman Marcus/<unknown number of other retailers that got POS-hacked?  

The apparent method of capturing this data was to RAM-scrape the Point-of-Sale (POS) systems before the data was encrypted.

Let’s not get into that; everyone and their brother will tell you about it.

What I want to make a point of is that businesses who want to process credit cards are required to

  1. Be PCI-DSS compliant
  2. Provide mitigating controls where they aren’t compliant
  3. Pay HUGE sums of money for being out of compliance … and this isn’t a one-time payment, it’s regular.

Keep in mind, PCI-DSS isn’t federal, it’s an industry standard that credit card issuers enforce.  They do it in an effort to limit the amount of liability they have when the allow some business to take their brand(s) of credit cards.  Visa, MasterCard, American Express … these card brands and others police this standard by charging for infractions.  Essentially these costs filter back to you and me in the form of the Annual Percentage Rate (APR) or annual fees for having a card.

Target (et al) were required to be PCI-DSS compliant and they were all audited by serious-minded companies that don’t hand out slaps on the wrist, they know that money makes an impression so they fine offenders.

Assuming these companies were compliant you’ve got to wonder how they could’ve gotten hacked.  This is an incident that illustrates how compliance with laws, regulations, standards, policies, guidelines or even best practices ensures security or risk management.