GLOVES OFF: Do PCI standards alone protect data?
The gloves are off
Robert Russo: General manager, PCI Security Standards Council
More than 25 years of industry experience
Your best defense against becoming the victim of a data breach is to be compliant with the payment card industry (PCI) standards. If you become PCI compliant, you've already reached the level that you need to be at to protect consumers' credit card data.
We are continually updating the standard, with input from all of our stakeholders, because obviously the people who are stealing credit card data are not sitting still. Once data thieves come up with one way to breach a system, they move on to discovering the next.
The people who should be concerned with being PCI standard-compliant are those storing, moving or collecting credit card data. A merchant accepting the credit card data should ensure that any third parties that will handle this data are also compliant.
At this point we are seeing a lot of uptake on compliance. A data breach could have not only a detrimental effect, but could also literally put you out of business. I'm not just talking about fines — I'm talking about brand recognition and confidence, people walking away and not using your brand anymore.
Consumers are not quite savvy enough to know the difference between credit card fraud and identity theft. When somebody steals their credit card, they think their identity has been stolen. They panic and think that people are able to open up new credit cards in their name.
From my standpoint, and a security standpoint, this fact only serves the greater good. Consumers then go the merchant and say “Are you PCI-compliant? Are you guys protecting my data?”
David Taylor: President, PCI Alliance; founder, PCI Knowledge Base and VP of data security strategies, Protegrity
If you think that PCI compliance and protecting customer data are the same thing, then I have some news for you: Anyone familiar with the Sarbanes-Oxley Act of 2002 knows that compliance is a whole different ballgame from security.
PCI standards provide a technical roadmap for companies that haven't done much to protect valuable customer data. The problem is with the process of achieving compliance. In an effort to build up compliant percentages while shoring up consumer confidence, the process gives merchants credit for having a particular control in place — even if that control doesn't actually work properly. The most obvious examples are security policies that are neither followed nor enforced, intrusion detection systems than are incorrectly tuned, or alerts that are not monitored on a daily basis. PCI Knowledge Base is currently conducting a survey about what merchants are doing to achieve PCI compliance.
One of the most frightening implications of the rush to declare victory in the PCI war is that once a company has implemented security controls, it is actually more liable if it experiences a breach. Companies who have software to alert them to a problem, but who ignore the alerts, have exhibited negligence.
The checklist approach to security, which PCI encourages by being so technically comprehensive, can be counter-productive and expose the company to greater risk, if the staff and skills aren't in place to actually follow the procedures, monitor the systems and take immediate action.
THE DECISION: Knockout
While Russo maintains that constant adjusting of the PCI compliance and monitoring of new data theft tactics is a cure-all for good data security, Taylor suggests strengthening both the processes and systems for employees and software. He warns that the checklist approach may have a dangerous placebo effect. While PCI is undeniably a good first step, DMNews agrees that it should not be your only one.