This is part two in a conversation that I had with Ben Tomhave (@falconsview) last week over Twitter. What started out as a quick question about busting PCI myths turned into corporate responsibility. If you haven’t seen this article about a company who is facing massive penalties, give it a read. It will help set up my position on corporate responsibility for promoting longevity. My position:
Companies must make security and compliance a core part of their competency if they choose to operate in a manner that puts them in the cross-hairs of regulation.
During the conversation, we moved to overall organizational competency around areas that arguably sit on the fringe of their core business. Restaurants that make pizza should do that well, and not focus on other things as much. While on the surface I agree with this, I also think that being in business is inherently risky, and business owners should have good knowledge (or hire people that do) about the risks that apply to them.
Take the business to consumer environment for example. If you want to get money from a customer, you have a few options to do so. If you choose to accept payment cards, you need to understand how that acceptance affects your risk model. Is it overly-complex? Definitely. Is ignorance an excuse? Never. This was something that used to drive me nuts as an assessor. The role of a QSA is to see how your company stacks up against PCI DSS, not be a liability transfer in case of a breach. If your organization faces compliance with PCI DSS, HIPAA, Health Codes, or local town ordinances, it must understand what those things mean to the business and build internal competency around it.
On to the discussion (again, slightly edited):
Ben: That statement also ignores that, while PCI may be your full-time job, it’s certainly not an organization’s (in general).
Me: If it’s that impactful to an organization’s bottom line, they should have the competency to handle it.
Ben: I think that’s a backwards and incorrect attitude. Audit/Compliance/Security is *not* their business. Business is. Audit/compliance/security/etc are merely attributes or emerging properties of their overall business…
Me: I think any company that doesn’t fully understand their business is backwards. PCI is a reality if they choose to accept CCs. Businesses choose to do things a certain way which causes audit/compliance/security.
Ben: While all this focus on audit/compliance/security may be good for you, it may not be so good for businesses. Focusing on the wrong things detracts from the right things (building a successful business that is resilient/survives)
Me: I’m not saying that audit is good because I might make money at it, I’m saying businesses choose to take risk, therefore they must live with the consequences, whatever they may be. Otherwise, divest/change.
Part of building a resilient business that will survive is good corporate risk management. Both Ben & I agree on this point. Executives need to know the level of risk they carry, and be able to make decisions on future actions based on how that affects their risk. For example, an over-leveraged company probably wouldn’t choose to take on more debt to expand (solvency risk), and a company relying on credit cards for customer revenue should know how banking rules affect their business (compliance risk).
Many merchants that are compromised usually are told about PCI DSS, but they never invest enough time and energy to know if what they are doing increases or decreases their compliance risk. Not only are they notified by their banks (albeit not uniformly or consistently), but most of these folks participate in an industry consortium that no doubt bring up the PCI topic often to their membership. Yet when merchants are breached, they blame everyone but themselves.
The best businesses are managed at a detail level. I’m not talking about micro-management by an executive—I’m talking about using detailed information to empower employees with competency and skill to drive the business forward, or by outsourcing things to third parties that are qualified experts and will accept the liability on the business’s behalf. Visibility into the risk you carry at any given time isn’t required to make a decision about what comes next, but if you want to know how your decision will affect the future you need to have a clear picture of what today looks like. You don’t HAVE to know anything about PCI DSS, but if you actually read (decoded is probably more accurate) the contracts you signed when you got your merchant account, you would know that you have to comply with certain security standards. You obviously can choose to ignore these standards, but you look ridiculous when you point the finger at someone else after a breach.
Of course, it’s getting harder for business owners to learn about their risks thanks to complex software packages being offered as a service. Business owners are attracted by the glitz and glamor of a fancy piece of software, yet they don’t really understand how to use it or understand the liabilities associated with the information stored—that is, until a breach happens.
Citizens of a civilized society are expected to follow the rules of that society. Ignorance is never a defense. If you choose to operate a vehicle on the road, you are expected to know all of the rules for performing that action and risk fines if you operate outside those rules. Do most of us push the speed limits when we drive? Yep, but we also accept that those flashing blue and red lights behind us mean we’re going to pay for breaking the rule. Claiming you didn’t know that certain information needed to be protected is like telling a cop that you didn’t know the speed limit, therefore you should be excused from responsibility. It doesn’t have to be something like a speed limit either. What about passing a school bus when its red lights are flashing? That’s illegal around here, and you deserve a ticket if you do this.
Ultimately, it comes down to choice. We all choose how involved we get in certain parts of our business, but that means we have to be responsible when things get away from us in areas where we stayed an inch deep. There is always an alternative. For example: how many cash-only businesses with on-premises ATMs have you seen pop up over the last few years? I’m certainly seeing a few more. Talk about a fast way to solve a PCI DSS problem and lower your compliance risk!