August 11, 2010, 3:54 PM — Let's be honest: Organizations follow compliance and regulatory requirements like PCI because VISA threatens to fine your company or worse, cut you off from credit card processing.
OMG! I would not be able to process credit card payments, it will cost me untold profit... OMG!
That is more like it, because we all know that if your organization is truly practicing on a daily basis good information security you would be compliant to PCI (just missing QSA certification of course), and you would most likely be in compliance with just about any compliance or regulatory requirements your organization might have thrust upon it.
If you follow and actually practice, perform and maintain a best practice, state of art, best of breed, call it what you will, information security program, you would basically be doing all the right things to become compliant if required. The difference between being secure and being compliant is an organizations maturity model. Practice daily good information security and you will basically be compliant (good maturity). Implement or improve information security for compliance requirements, such as PCI (bad maturity).
While I was at TRISC 2010 to present on "Cloud Security can be used securely", I listened to the ever entertaining Dr.Eugene Schultz in his keynote mention the PCI breaches involving TJX and Heartland Financial. We have all read the plethora of articles about the incidents, how they occurred and how much it cost the organizations and of course that they were both 'PCI Compliant' at the time. If you believe they were PCI Compliant, you would be sadly mistaken, but this is the first thing you hear people discuss. "But they were PCI compliant," is what you'll hear (Also read: Heartland CEO on data breach: QSA's let us down).
True, both TJX and Heartland had been PCI certified by a QSA at some point in time, but when did the incidents or breach occur? The day the QSA certified them? Of course not, they were compromised after they stopped being or practicing PCI compliance or when they stopped performing best practice, state of the art, best of breed information security, which I am guessing was only days after they obtained their PCI certification or after the QSA left. Remember certification is a point in time, the day you were assessed by the QSA in the case of PCI, is the day, or maybe a few days you were actually compliant, not weeks, months or a year later.