The recent string of breaches at prominent retailers such as Target and Neiman Marcus demonstrated that too many organizations still falsely equate PCI compliance with comprehensive security. Fully compliant organizations are being hit with attacks that compromise payment card data on a regular basis.
In the aftermath of these incidents, it’s important for stakeholders to realize that adhering to PCI guidelines is really just the start of the journey. Organizations must devote more attention to properly implementing key security mechanisms and addressing any gaps in their IT systems. To this end, they can use compliance solutions that monitor exit point traffic and offer granular access management controls.
Efficacy of PCI-DSS called into question after high-profile breaches
Like Heartland Systems, which suffered substantial data loss after a 2008 malware infection, Target appeared to be PCI compliant at the time of its breach. So why were its systems compromised?
The issue may be that PCI-DSS standards haven’t kept pace with evolving attack vectors such as malware, which aren’t always strictly addressable by PCI guidance. On top of that, the slow movement toward EMV technology and end-to-end encryption has left many magnetic stripe cards and point-of-sale terminals vulnerable, even for compliant merchants.
In other words, organizations may still be regarding PCI-DSS as a security catch-all, when in reality it’s just one resource among many that can and should be used to protect their payment systems. By wrongly regarding it as a goal rather than as an enabler, merchants are setting themselves to be nominally compliant after an assessment, but prone to falling back into risky practices shortly thereafter.
For example, a Verizon study of 500 large organizations found that only 11 percent of them maintained compliance between assessments. Essentially, they’re not using PCI-DSS as an everyday tool for mitigating risk.
Rather than treat PCI compliance as an academic exercise or a panacea for threats, organizations should use it to inform their risk management strategies. Such a novel approach requires getting real-time information about security events and being able to consolidate and transform data into accessible compliance reports with solutions such as PowerTech.
Ultimately, retailers have will have to take steps on their own to defend operations from attacks. PCI-DSS can help, but only if security measures are properly implemented and stakeholders are aware of the specific risks they need to address.
“Retailers’ security does not end with PCI-DSS; it begins with it,” stated Gartner analyst Anton Chuvakin, according to BankInfoSecurity. “The retailer security team may well have planned for the risk of POS malware, with no regard to PCI-DSS. After all, it is their business and they need to protect it–not the council, not the card brands, not others.”