Why PCI Compliance Actually Hurts Retail Security

PCI Security requirements from the card associations has been a pain in the rear for many a retailer for many years. Some of the new EMV guidelines hold out hope for eliminating the need for PCI audits. However, one can make a strong case that the money and efforts towards PCI compliance and the velvet hammer associated with that actually pulled resources from true security. With everything connected to everything, key vendors within login connections, CMOs engaging vendors outside of the IT infrastructure, there are many potential holes.
At time of this writing, the latest theory on the breach at Target is that the hackers gained access to the HVAC provider for Target through malware laced emails, then leveraged that to get into Targets systems when those systems logged in. I highly encourage you to follow Brian Krebs on Krebs on Security who seems to be all over this specific breach.
Retailers average between 1-2% of revenue on IT Spending. Security is one part of that. In any year, this budget includes 300+ different IT projects that hit the budgets alone. And dont forget, depreciation for previous capital outlays also hit this budget. With so much focused on PCI compliance, there is only so much budget and manpower to focus on all aspects of security. After all, what other market has segments dealing with 1% margins in some segments? And retail is the king of do more with less.
The people at Target are a great group of people under tremendous fire. But ask any retailer and they are at a disadvantage. In many ways, network security is like terrorism security. So much focused on airlines, soft targets are not adequately protected. PCI is our industry TSA. It started with good intentions. The reality is it made everything else less secure due to limited resources. Compliance is not security, period.
Recently I participated in a terrific panel on security sponsored by Verizon. Here is a video of that discussion.
Click here to see video