A reader recently asked the PCI DSS Guru the following question:

target“The whole world knows that Target suffered a serious data security breach that resulted in the compromise of millions of credit card numbers.  Does this mean that Target was in violation of PCI DSS?  Is it possible to be compliant and still suffer a breach?”

It is indeed possible to be PCI DSS compliant and still suffer a security breach.  Remember, PCI is only a set of best practice standards designed to improve the security of credit card transactions.  It is not a guarantee of safety and retailers who suffer security breaches may indeed be compliant with PCI DSS at the same time.

That said, a major credit card security breach will almost certainly trigger an investigation by your merchant bank.  During that investigation, they will be looking at your compliance with a fine-toothed comb.  As we all know, PCI DSS is simply too complex for any organization to fully satisfy every letter of the regulation at all times.  If an auditor is approaching you with a “let’s find a violation” attitude, you are bound to fail your audit.

In every case where I’ve seen a PCI DSS post-breach audit, the results of the audit have been negative, citing one or more compliance failures at the targeted organization.  Penalties for non-compliance followed shortly thereafter.  So, if I were Target’s CISO, I would be expecting a fine in the near future.