The Bad Guys Are Out-Running The Good Guys - Can Compliance Stop Them?

摘要

Judging by the number of public breaches that we keep hearing about, it looks like the bad guys are far outrunning the good guys. We know it's a big problem because as a company we get called in to sort out the problems most often once the horse has bolted. In June of this year in the US with section 6.6 of the PCI Data Security Standards (DSS) becomes mandatory in the US will things change? From a UK perspective it'll be interesting to whether it makes a change for the better. Online merchants that process credit card payments will either have to conduct a code review for their applications or install an application-layer firewall. The standard offers a choice, but there really isn't any choice at all. If an organization is going to successfully protect its data, it needs to aim for preventing a breach, not passing an audit. This means, first, finding and fixing the vulnerabilities in your software, second, building security into the development process, and third, protecting your applications once they're deployed. Hannaford Bros, a supermarket chain based in New England, USA, passed a PCI audit and then got hacked. They lost 4.2 million credit and debit card numbers, which has led to 1,800 cases of fraud to date. Over the last two years, as the PCI standards have slowly been implemented, the number of data breaches has increased from 158 incidents in 2005 to 443 incidents in 2007, for a total of 212 million records. So judging by this, you'll see the bad guys are still very much in the lead. And that's why PCI keeps evolving. But, in order to win this battle, companies must invest in security, not just in compliance.