Whenever we talk about big data breaches, like the ones at TJX or Heartland in recent years, the question always comes up: Were there compliance problems? But if I've said it once, I've said it at least a hundred times: Compliance won't make you hack-proof, and security doesn't automatically equal compliance.
Fellow IT Business Edge blogger Mike Vizard said as much in December in a post on "The Security Delusions of Compliance." He said:
Unfortunately, the definition of compliance with any particular regulation usually comes down to meeting the bare minimum requirements. The end result is that while thousands of organizations can meet compliance requirements, very few of them are actually secure.
He went on to point out that those who are operating under such a delusion are in for a rude awakening this year because the bad guys are getting better at automating their work than we are at stopping it.
In a recent IT Business Edge guest opinion on data breaches and PCI compliance, Paymetric CEO Larry Wine reiterated that compliance does not necessarily equal security. He said:
Complying with PCI DSS should not be considered a silver bullet for protecting information and battling fraud. Consider that many of the companies victimized by data breaches in the past several years were, in fact, found to be PCI compliant prior to the breach. When the breach occurred, however, they had unwittingly fallen out of compliance. This puts companies at risk for a breach or an audit resulting in hefty fines...
But he also offers a solution. Tokenization can help companies stay compliant because it "leapfrogs...encryption." Wine explains:
This technology works by intercepting cardholder data entered into an enterprise payment acceptance system like a Web store, CRM, ERP or POS, and replacing it with a surrogate number known as a "token," a unique ID created to replace the actual data associated with a specific card number.
And according to research from Aberdeen Group, tokenization is "closely correlated with the achievement of best-in-class results." Not to mention it saves money and means that no card-holder data is stored in the company network, Wine points out.