PCI Compliance Series: Compliance Shouldn’t Equal Complacency – Part 1 of 3

Recently I discussed Enabling PCI Security success in an ever changing world and examined the divide of understanding amongst many businesses when it comes to perceiving PCI Security as a mere technical issue rather than business critical. With the threat landscape constantly changing and data contining to grow, organizations face greater challenges and increased responsibility as the more sensitive data they store; the more they are exposed to potential data breaches and vulnerabilities.

The Verizon 2014 PCI Compliance Report found that too many businesses, following their annual assessment, failed to maintain ongoing compliance – putting the businesses at an increased risk for data breaches, and financial and reputational damages. In 2013, 11.1% of organizations were fully compliant with the Standard at the time of their baseline PCI DSS assessment, up from just 7.5% in 2012. And we continue to see many organizations viewing PCI compliance as a single annual event, unaware that compliance needs to have a 365 day-a-year focus.

Over the next couple of weeks, I will discuss the frequently asked questions about PCI Compliance and the opportunities that compliance with the Standard, ultimately offers. For this edition, let’s concentrate on compliance vs. complacency.

I often get asked – Can PCI Compliance really be seen as a business opportunity?

“Yes, Yes and Yes!!!” Compliance, security and data protection should be viewed as entirely business critical within an organization – and ultimately an opportunity for every compliant business. The PCI Security Standards Council itself stated that the changes in DSS 3.0 were designed to, “help organizations take a proactive approach to protect cardholder data that focuses on security, not compliance, and makes PCI DSS a business-as-usual practice.”

Organizations can benefit from making compliance activities part of business as usual, but are likely to require some guidance about the assessment, management, change control, and incident response activities that help them run their security and compliance programs. Closer alignment with, or references to, information security governance and management quality standards — and in particular, the inclusion of capability and performance maturity models — would help to address this.

Done right, compliance can drive process improvements, identify opportunities to consolidate infrastructure, and generate new revenue. For example:

• Improved business efficiency – PCI Security compliance initiatives provide a valuable opportunity to study and reconsider business operations from end to end — through process optimization, improved internal communication, and greater management oversight of security and associated spending.
• Enable efficient IT services – Efforts to comply with PCI Security standards almost always involve changes to IT as well as the business. Compliance programs offer an opportunity to take a strategic view of systems and investments that may have built up over years or even decades, leading to many benefits such as consolidating and revamping infrastructure, producing benefits in security, business continuity, manageability, and system performance.
• Reduced risk – The initiation of a PCI Security compliance program is often the first time any serious attention is given to information assurance across an organization. The baseline set of controls it provides can be applied to other kinds of data and systems outside of the cardholder data environment, helping improve overall security and reducing exposure to risk.
• Increased innovation – Compliance isn’t just about plugging gaps. PCI security compliance can help drive innovation such as the adoption of new technologies (such as cloud computing and mobile), ways of working, and in fact new business models. For example, some retailers have deployed new Point-of Sale systems to meet PCI Security requirements and realized significant benefits in increased throughput and new a revenue channel through advertising opportunities.
• Increased customer trust – Tomorrow’s customer is going to be even more demanding than today’s. Big data and advanced analytics offer unprecedented insight into customer behavior; but only if customers fully trust an organization with their data. Applying PCI security standards across customer operations will help protect customer privacy and can aid to build trust in a company’s brand.

…So if compliance can reduce risk, does this mean that this risk reduction can make us more ‘efficient?’

First, we need to be clear that organizations need to continually review not only their PCI Security compliance status, but data protection policies within their universal security practice. Being 100% compliant with PCI DSS, at a point in time, will not necessarily make a business 100% secure – it is one part of the bigger security solution.

By reducing risk, organizations can become more ‘efficient’ – however the word ‘efficiency’ in this context does not mean that once compliance has been achieved, that other security controls can be avoided or deemed irrelevant! The stronger integration of risk measurement and management – making it an integrated part of the evaluation of control effectiveness – should not result in organizations skipping required controls or bypassing the compensating controls process, but should in fact make PCI DSS more relevant and effective.

However, by reducing risk and minimizing the spread of cardholder data across an organization, there are important benefits. Within a PCI DSS compliant environment, the risk of data leaking or being stolen is limited, and so is the scale of any breach that could happen as a direct result of this. By creating designated “compartments” between the various networks within an organization to categorize and securely contain business data, the likelihood of a data breach spreading throughout an organization’s IT infrastructure may be reduced. According to our Verizon 2013 Data Breach Investigations Report, 78% of data breaches took weeks, months or even years to be discovered, giving hackers plenty of time to hunt around for what they’re really after.

In a nutshell, it is not enough to just implement controls and think that this makes an organization safe. Without a well-designed and maintained risk measurement program, there’s no way to reliably prove the effectiveness of controls and the actual level of risk that remains in a business. There is a real danger in doing the minimum possible to comply – just ‘ticking the boxes’ provides little comfort in the aftermath of a breach.

Watch for my next article in this series which will cover PCI Compliance’s association with Data Breaches in more depth and the disparity we see across industry verticals and geographical regions.

In the world of IT security, knowledge is power. Verizon is a highly respected security provider with a depth of insight into PCI compliance. Learn more about how we help companies manage risk and maintain brand reputations.