The big myth right now that many merchants face is that PCI compliance means security. Unfortunately for merchants that are spending thousands, and hundreds of thousands and sometimes millions of dollars upgrading their systems for compliance, this is not the case. Compliance does not equal security. In fact, even a successful PCI audit only reflects a point in time so technically a merchant is only “certified compliant” at that specific point in time.
Hannaford did everything they could to be PCI compliant. From what I have read, they did not cut corners or go the cheap route with compliance. IMHO the problem was too much, maybe exclusive, emphasis on compliance and possibly not enough emphasis on security. I’ve said it before and I’ll say it again, focus on security and compliance will be a byproduct.
One last point I would like to drive home about why security is so important. Over the years I have had the opportunity to speak with various people in the industry. One ex-MasterCard mucky-muck told me that the card associations view EVERY breach as a compliance failure by the merchant. In other words, if you are breached you will be found out-of-compliance and fined – period. If you are focusing on compliance to reduce your risk of a fine, give it up; focus on security instead.
No comments:
Post a Comment