Your PCI Risk Assessment: Security vs. Compliance

Most people often think that security and compliance are the same thing, especially when looking at conducting a PCI Risk Assessment. Truth is, these are two very different topics yet are interchanged very frequently. A good place for us to start is to define these terms so that we know what we are talking about and see why they are interchanged:

• IT Security is defined as defending the information that your organization holds and maintains from unauthorized access or use
• IT Compliance is defined as being in alignment with various Federal, State and Industry regulations

While compliance always requires IT Security initiatives, the question of which comes first is sort of like the chicken or the egg. Here at Compass IT Compliance, we believe in a very firm set of beliefs that state if you focus on IT Security best practices, particularly related to your PCI Risk Assessment and PCI Compliance overall, you should have no problem complying with the PCI Data Security Standards version 3.1.

One of the things that we also need to look at has to do with the fact that a PCI Risk Assessment and overall PCI Compliance is a point in time snapshot of your current security posture compared to that specific industry regulation. According to the Verizon PCI Compliance Report of 2015, 80% of all companies fall out of PCI Compliance shortly after completing their Risk Assessment or Report on Compliance. So what does this mean? How can this be possible? The answer is simple. We spend all of our time focusing on compliance with an industry regulation as opposed to implementing IT Security practices and ultimately we fall out of compliance. What if we reversed the scenario? What if we focused on IT Security best practices and then compliance? I believe that we would see that 80% number drop dramatically as we would have a culture of security as opposed to a culture of compliance.

Don’t get me wrong, compliance is critical for a variety of reasons but again it comes back to the chicken vs. egg question in terms of which one came first. What do you think? Which order should organizations focus their priorities in terms of Security vs. Compliance, particularly when it comes to going through your annual PCI Risk Assessment? Sound off in the comments section as we would love to hear your feedback.