Does PCI Compliance Equal Security?

NEW YORK -- The need for regulatory compliance is driving spending on security. Yet is it actually improving security overall?

It really depends on who you ask, according to industry experts from RSA, MasterCard Worldwide, Forrester Research and Depository Trust Clearing Corporation. Representatives from these companies debated the merits of PCI compliance as well as offering suggestions on how to get it implemented during the Interop conference here.

"A lot of people wouldn't do anything without it being a reaction to an incident," said Paul Stamp, senior product manager at RSA. "Compliance leads to security, which wouldn't be there otherwise. So it's a good thing."

That said, compliance coupled with a regulation, such as the Payment Card Industry/Data Security Standard (define), doesn't necessarily mean that an organization is secure. Khalid Kark, a principal analyst with Forrester Research, argued that a lot of businesses think being in compliance with regulations assures them of security best practices. That's not always the case, he added. However, he added, if you do security well, it could lead to compliance.

Because of the new compliance requirements with PCI this year, Forrester is seeing a bump in spending on security.

The PCI-DSS standards are an effort by the payment card industry to provide a baseline level of security compliance for those that process payment information. PCI-DSS version 1.2 is scheduled to come into effect on October 1st providing additional security provisions.

"PCI is a global standard because fraud is global," Jennifer Mack, a vice president with MasterCard Worldwide, told the audience. "While PCI is a single standard for a global environment, it does allow for flexibility and that's what's in the upcoming standard with extra clarity around the requirements."

Mack also is a member of the PCI Counsel, which actually works on developing industry specifications for PCI compliance. She noted that a primary reason for the PCI standards is the fact that the payment card industry is desperately trying to avoid government intervention in the space.

Furthermore, she argued, the standard is helping a lot of companies avoid data breaches because of their compliance posture.

Mack's declaration drew a swift response from panel moderator John Pironti, chief information risk strategist at CompuCom. He argued that he was aware of breaches of PCI-compliant vendors. Mack, however, responded that in cases where a vendor was fully compliant with every aspect of the PCI standard, there have been no reported issues.

This article was first published on InternetNews.com. To read the full article, click here.