The payment card industry data security standard (PCI DSS) is designed to protect consumers by encouraging businesses to do more to protect payment card details. A recent survey by US Internet giant Verizon found that compliance with PCI DSS can be a powerful force in fighting cyber-crime – but many organisations struggle to maintain full compliance with the standard.
Speaking to Computer Weekly, Verizon’s head of advisory services Gabriel Leperlier commented: “Since 2010, not a single organisation that has been breached was 100% PCI DSS compliant at the time of the breach.” This is a remarkable finding. Why are so few organisations struggling to comply with the standard?
Firstly, it helps to examine the 12 requirements of PCI DSS:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Protect all systems against malware and regularly update antivirus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need-to-know
- Identify and authenticate access to system components
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
In addition to these 12 requirements, digital security teams must contend with changing technology, workplaces that are riddled with web-connected devices, malicious employees and a host of determined hackers, criminals and foreign agents – who are all working day and night to access a company’s valuable data.
As Leperlier puts it: “Many organisations struggle to keep up with the continual cycle of scanning, testing and patching, which is why it is important to involve all employees, so they understand why certain security controls are in place and will be more likely to stick to them rather than finding ways around them.”
Achieving and maintaining PCI DSS compliance does not guarantee that you won’t be hacked – but failing to maintain compliance is a sure-fire way to attract the attention of hackers and criminals. After all, dropping the ball on PCI DSS compliance effectively means you’re making life easier for anyone who wants to steal your data.
There are many examples of companies that have paid a heavy price for data breaches that could have been prevented by complete compliance with PCI DSS. For example, US retail giant Home Depot agreed to pay at least $19.5 million to consumers harmed by a data breach in 2014. The breach occurred because Home Depot used inadequate security software and weak data protection policies. Under PCI DSS, companies are required to conduct vulnerability scans – something that was not carried out fully at Home Depot.
PCI DSS compliance may be difficult to achieve and maintain, but it seems the costs of dealing with a major data breach are likely to be far higher than the price of meeting the 12 requirements outlined above.