When we’ve invited guests over to our house, I usually spend the afternoon before they arrive cleaning – my wife likes the place to be immaculate. Within a few days, however, our house is just as messy as it was before. According to a recent report from Verizon Business, many organizations behave the same way with PCI compliance. The report (available here as a PDF) states, among other findings, that 79% of businesses examined in 2010 did not meet the PCI-DSS standard, and that most of those that failed the audit were compliant the year before.
The PCI Data Security Standard is a set of tools and metrics for merchants, payment processors and financial institutions to protect cardholder data. It was initially released in 2004 by a council of the major payment card industry members (Visa, Mastercard, American Express, etc.). The current version of the standard is v2.0, released in 2010, and defines twelve requirements that must be met by businesses that wish to process credit and debit cards. So why is it so uncommon for these businesses to remain compliant? It’s a relevant question because you and I want to do business with merchants that take measures to keep our financial data safe.
There are likely various causes for the gap in compliance. Organizations might feel the need to “just get the box checked” – and as a result they act like a teenager cleaning his or her room, covering up the disarray so that it’s just out of sight. It doesn’t take long for the place to get out of order after the auditors leave.
Cost and complexity are also factors. There’s nobody to watch the logs from the new firewall; there’s no money for the annual penetration test this year; the CIO got too busy and didn’t have time to finish updating the company’s security policy.
Properly securing a business can be like training for a marathon. It requires a long-term commitment, doing hard work that doesn’t have an immediate reward, and most of all, it can really hurt. But remembering our responsibilities – to our customers and their data; to our shareholders and owners; and to our own employees – is key. All of these folks would be adversely affected if a breach were to occur!
The requirements mandated by PCI-DSS aren’t just good for businesses that process or store cardholder data. They’re solid recommendations that can improve the security posture of any organization with critical systems or data to protect. If your organization doesn’t have a formal security program, PCI can be a great place to learn about controls and defenses. Other resources, such as ISO 27002, NIST’s 800-53, or SANS’ Top 20 Critical Controls, describe the steps to start developing the people, process, and technology required to protect your business.
If you are subject to PCI-DSS, don’t stop there! PCI is the beginning of the journey, not the end. After all, organizations that are PCI compliant can still suffer breaches. Heartland Payment Systems, who reported a breach and the loss of millions of records in 2008, was PCI compliant at the time. A comprehensive information security program goes beyond boxes on an audit report – it includes maturity that’s baked into the business at a foundational level, and a culture that cares first and foremost about protecting its data and assets.