Compliance equals no risk?
- TAGS:compliance, PCI, security
- IT TOPICS:Government & Regulation, Security
I picked on SC Magazine a little bit over at my personal blog yesterday, so I figured I would do it again here. But actually, this post is not really about SC Magazine. It is about a quote from an article written by Rob Tourt, who is a member of the PCI Security Standards Council. In his article, Mr. Tourt says this:
It's important to note that the high-profile data breaches of 2008 are more the exception than the rule. While there are still those that remain out of compliance and at risk of a breach, there is an even more profound increase in organizations that are compliant and are adopting the DSS and the tools introduced by the council. (emphasis added)
So two points:
- If I am reading that correctly, and if it is logical to assume the converse is true, then those who are compliant with PCI are not at risk of breach.Â
- But at the beginning of the paragraph, he said the high-profile breaches of 2008 were more of an exception than the rule.Â
Which is it? They can't both be true. If compliance means no risk, then there can be no exceptions AT ALL. If there were ANY breaches, high profile or not, then you are still at risk if you are compliant with PCI.Â
I grant that Mr. Tourt may not have meant to infer that compliance equals no risk, but someone in that position has to be careful on his wording.
Free Insider Guide