Why is Compliance Crucial to Security Programs?

Simon Stacey

October 28th, 2020

If you are evaluating an eCommerce solution, the security of your customer and corporate data is extremely important. You likely want to understand what the security program of your potential eCommerce partner includes. A key aspect of leading security programs is compliance. In this blog, we will explore what compliance is and why it matters for digitally-driven brands.  

What is compliance? 

Compliance is a third party adjudicated process of ensuring that an environment has been deployed to a certain level of security confidence. The goal for any deployment of an ecommerce solution is to inspire trust in your brand and to provide a reliable platform for online commerce. Compliance ensures that ecommerce platforms can reliably transact business without the individual customer having to independently audit every single online store they come across. Compliance enables businesses to feel confident that their shopper’s personal information will not be leaked online.  

Why does compliance matter? 

Compliance is a complicated process of ensuring that corporations can trust each other without the requirement to spend weeks auditing each other for every deal. It enables mutual trust and transparency to ensure that if we work together, we will not show up in the news. This process ensures that no one is the link in the chain that causes a shutdown of the client's global fleet due to a vendor being compromised. 

What is the difference between being compliant and being secure? 

There is a difference between being compliant and being secure. Compliance is primarily an exercise in ensuring that the environment in question complies with baseline standards. While the practice of security is to prevent compromise and ensure continued successful business operation. Baseline regulations are of use; however, a successful security practice goes beyond checking boxes.  

There is a natural conflict between seamless business flow and ensuring that an environment is sealed enough not to leak. A good security practice is in service to the successful running of the enterprise and must be accommodating. Needless restrictions that inhibit flow will in reality cause workarounds to be created that will be significantly worse than if the restriction was designed around the use case to start with. For example, it is better to just install VLC onto every desktop then to have users download adware infested apps when they need to play that cute birthday video.  

Compliance regulations such as PCI, SOC 2, GDPR, and CCPA can be of use in demonstrating the business value of security at an executive and board level. However, at a technical level, these regulations should not be the limit or only blueprint for how to safeguard a system. A good compliance program takes the stipulations of PCI and uses them as a guide to implement a strong security culture.   

How can I ensure my commerce solution values compliance? 

When evaluating the results of a particular vendor's compliance process as an interested client there are a few things to keep in mind: 

  • If the document that has been provided did not require an NDA, then it is unlikely to contain anything revelatory of the vendor security practices. Be mindful that the marketing story is confirmed by the contents of the attestation. 
  • Ensure that the security attestation that is provided is relevant and at the correct level of compliance for your environment.  
  • For example, an SAQ A self-assessment document provides a very different level of assurance than a Level 1 report on compliance. The former, would not be appropriate for an environment that processes payments or connects to such an environment. The latter enables the environment to store credit card details or connect to environments that have a similar compliance requirement.  

As the world becomes more and more focused on digital experiences, compliance is vitally important to successfully enable a shift of commerce from the past into the digitally-focused future. Compliance allows the executive team to sleep easy knowing that they will not show up in the news as the latest cautionary story. 

 

Share on

Simon Stacey

Simon is a Security Architect at Elastic Path.