When the data breach occurred at Hannaford Brothers, much was made of the fact that the company was supposed to be Payment Card Industry Data Security Standard compliant. Some observers even suggested that if Hannaford really was fully compliant, the breach would not have happened.
However, Enterprise Management Associates' research director Scott Crawford says such a viewpoint is naive. In a recent telephone interview, he told me:
To be clear about the difference between compliance and security, compliance does not necessarily mean that you're going to never experience an attack or never experience a threat that has a significant impact on the business. ... The real point of compliance is to try and assure a higher standard of risk management. What I mean by that is, if you think of the parallels in the physical world -- in health care, for example. Exercising regularly, eating properly does not necessarily mean you're never going to experience a heart attack or debilitating stroke. But overall, it means that your chances of not having one or surviving one or having less impact from one are greater.
According to a post at The Industry Standard by an InfoWorld writer, PCI Security Standards Council manager Bob Russo holds a similar opinion. He notes:
The truth is that achieving compliance is a moment in time, it's a snapshot, and you need to be vigilant and live with these issues on a daily basis; you can't get your compliance certificate and put it in a drawer and feel satisfied. It's still pretty unclear exactly what happened [at Hannaford], but the upside is that they've said they'd like to share information about their incident, and feedback from everyone involved in this process has been crucial in making our efforts successful.
EMA's Crawford says the events at Hannaford will have an impact on the way the PCI standards evolve -- even if it's merely a matter of making sure they keep up with the nature of the threats that the industry faces.