This fall marked the 10th anniversary of the Payment Card Industry’s Data Security Standard. Since it was first implemented in 2006, the standard has been updated seven times—proof that PCI is committed to keeping the standard current as technology and threats evolve. But are some merchants getting left behind?
Verizon’s latest PCI Compliance Report showed 80 percent of businesses studied still fail their interim PCI assessments. It seems that a large number of organizations are doing just enough to get by at audit time, but are unable to maintain their security controls long-term.
PCI Compliance? Check!
If many businesses aim to simply check the compliance box without establishing effective, sustainable controls, can anyone say PCI DSS is accomplishing the goal of protecting payment card data?
After all, merchant data breaches are still making headlines—retailer Eddie Bauer and hotel chains Hilton, Starwood, and Hyatt are recent examples. But significant progress has been made over the past 10 years.
Before PCI DSS, most businesses didn’t fully appreciate the security issues associated with cardholder data. The standard motivated merchants to reconsider how much sensitive data they store and how they protect it. No standard can guarantee data protection, but having a mandate in place gives customers the assurance that some minimum level of attention has been devoted to protecting their information.
“Minimum Attention” Is a Double-Edged Sword
Devoting some time, attention, and resources to data security is better than none. Without a standard in place, some organizations—especially smaller ones that don’t consider their data a likely target for cyberattackers—might completely ignore security until a breach or a leak or malware demanded their attention.
On the other hand, compliance mandates can instill a false sense of security. After all the work getting systems into compliance, generating the reports that prove compliance, and finally passing that all-important audit, it’s understandable that some IT staffers breathe a sigh of relief and forget about PCI compliance until the next time.
Security Isn’t a One-Time Event
In any organization, security requires regular, on-going attention and maintenance. Just like your car needs regular oil changes, your security posture needs to be re-evaluated as your organization grows and threats evolve.
This is because compliance isn’t your only goal. Compliance should actually be a natural byproduct of security. If you’re following security best practices, you’re probably well on your way to complying with PCI DSS, HIPAA, or whatever security mandate affects your business.
In the conversation about what PCI DSS has meant to merchants over the past 10 years, it’s easy to overlook the value of security best practices. But the standard itself hasn’t overlooked best practices—because as best practices have evolved, so have PCI requirements.
Perfect compliance with PCI DSS across the board will probably never happen. At least with PCI DSS around, it will continue to push merchants in the direction of security best practices.
How can that be true when so many businesses seem to be operating with a “check the box” compliance mentality? Verizon’s PCI report showed the percentage of businesses that were fully PCI compliant at their interim assessments increased from 10 percent in 2013 to 20 in 2014. That suggests more organizations are realizing the value of PCI DSS—and security best practices.
Obviously, 20 percent leaves much room for improvement. But considering how the standard has evolved over the past decade—changing requirements for penetration testing, vulnerability assessments, encryption, and passwords—many businesses are much more secure today than they would be without PCI DSS.
If you’re looking to get PCI-compliant, check out our software solutions that can help you meet the requirements. For help identifying the security vulnerabilities commonly associated with compliance violations, request your free compliance assessment.