What Does a Certification Actually Certify?
The Target breach and the gap between compliance paperwork and operational security
On September 20, 2013, an independent security assessor certified Target Corporation as PCI-DSS compliant. Eight weeks later, malware was running on nearly every cash register in the company.
This week’s episode traces the full attack path from an HVAC contractor’s stolen password to 40 million compromised payment cards. But the episode can only touch on what I think is the most important question the Target breach raised — and the one the compliance industry has still never fully answered.
Every control that appeared in Target’s post-breach settlement injunction — network segmentation, two-factor authentication, default credential elimination, application whitelisting, threat detection response — had been documented in existing guidance before the breach occurred. Most were in the same PCI-DSS standard Target had been certified against. The earliest guidance was four years old. The most recent was two years old.
Target was not operating without a framework. It had been assessed. It had been certified. The certification said it met the standard. The breach demonstrated that it did not.
This is not a Target-specific problem. The gap the Target breach exposed exists wherever compliance certification is treated as equivalent to operational security. Certification measures whether an organisation can demonstrate adherence to a set of controls at a point in time, under the conditions of the assessment, to the satisfaction of the assessor. Operational security is whether those controls are deployed, maintained, monitored, and responded to continuously.
These are different things. The Target breach is what happens when an organisation achieves the first and assumes it has achieved the second.
Three questions worth sitting with:
1. Who is the certification for? PCI-DSS certification exists because the payment card brands (Visa, Mastercard) needed a mechanism to distribute liability. If a merchant is certified compliant and still breached, the liability framework shifts. The certification serves the ecosystem’s risk distribution needs. Whether it serves the merchant’s actual security posture is a different question — and the Target breach suggests the answer is: not necessarily.
2. What does “point in time” mean in practice? Target was certified in September 2013. The breach began in November 2013. Two months. The certification did not become wrong in those two months — the gaps it failed to catch were there during the assessment. The point-in-time framing implies that security is a snapshot. In practice, security is a continuous state, and snapshots can miss what was already there.
3. What happened to Trustwave? The assessor that certified Target compliant eight weeks before the breach — Trustwave — was later retained by Target as part of the incident response team. The same organisation that certified the security posture that failed was brought in to help recover from that failure. This is not inherently corrupt — Trustwave had deep familiarity with Target’s systems. But it illustrates a structural tension in the compliance ecosystem that remains unresolved.
The full episode covers the technical attack path, the missed alerts, the financial consequences, and every missing control with its pre-breach guidance date. The one-page PDF summary is available for download below.
