Whenever there is a breach of payment information, someone at the business where it occurred is going to be held accountable. According to the New York Times, in the wake of one of the biggest breaches in retail history, Target CIO Beth Jacob resigned this week.
Gregg Steinhafel, Target's CEO, said that this will be the beginning of an "overhaul" of how the company protects sensitive information. He added that while the investigation is ongoing, Target recognizes that the state of the security environment is evolving rapidly.
A recent article from ComputerWorld examined this move by the business and asked the question, are there more to blame?
The article features an interview with Gartner analyst Avivah Litan. She noted that keeping payment information safe is facing dramatically changing challenges, there are other factors that need to be examined. She mentioned that one thing no one is talking about is that fact that Target was certified as being PCI compliant. Despite this, a massive security breach was still able to occur that impacted 110 million customers.
"I don't understand why the qualified PCI security assessor is totally off the hook in this case," Litan noted. "CIOs rightfully rely on [qualified security assessors] to certify PCI compliance. Sure the standard response is 'well things change between annual assessments.' Yes they do, but that's a big copout on the QSA's part if you ask me."
The important takeaway here is that an organization's PCI compliance is in regards to when its security was measured. Things change all the time and maintaining that security is a separate challenge. An organization that was PCI compliant yesterday might not be secure today, which is why it's important to ensure your organization is maintaining its compliance.