eIQviews

Ah, the Heartland breach continues to generate opportunities for us to get on the soapbox and talk about PCI compliance vs. security. The latest to appear is at Retail Info Systems News. Here is a little snippet (so I can make Anton a bit more crazy today).

“The message coming from the Heartland Payment Systems Breach is loud and clear. It’s reinforcement of what seemed to be evident from the Hannaford Bros. breach last year. PCI is not enough. Merchants have been relying on PCI as a crutch. Comply with the 12 requirements and credit card data is secure.

Of course, anyone that has been in the security business for a while knows the folly of thinking that any set of requirements and controls will truly create security. Throughout my 20 years in the industry, that just hasn’t been the case. Attackers are good and getting better. They are launching innovative attacks and rendering our defenses moot.

To be clear, there is value in the 12 requirements set forth by the PCI Security Standards Council. The PCI-DSS does a good job of laying the foundation for security, but just like you don’t live just on a foundation and expect to stay warm and dry in the winter, you can’t just rely on your security foundation for protection.”

You can check out the entire piece on the RIS site.