PCI Compliance Only the Start of Security

Reports that companies involved in some of the latest data breaches were PCI-compliant continues to spark discussion of whether PCI is a solid measuring stick for overall security. Industry observers say yes, but businesses need to change their check-list approach.

When the Network Solutions breach was reported last week, the usual buzz about whether or not the company was PCI-compliant began almost immediately.

Similar talk surrounded the situations with Heartland Payment Systems, Hannaford Bros. and just about every other data breach that has happened since the Payment Card Industry Data Security Standard (PCI DSS) was first established. But the question then becomes whether PCI is truly a useful security metric if so many breached businesses seem to be compliant.

According to security observers, the answer is yes. The problem is the mindset many businesses have.

"The worst part of passing a PCI audit is that it creates a false sense within upper management that your systems are fully protected," said Phil Neray, vice president of security strategy at Guardium. "Management needs to understand that security and compliance are continuous, ongoing processes, not one-time -check-off' events, and they need to prioritize the people and budgets to make this happen."

PCI compliance, he continued, provides a set of guidelines and a starting point for security and application teams. But it doesn't replace a detailed analysis of insider and outsider threats in an organization, or rigorous attention to processes for closing security holes, he added.

PCI compliance is, after all, just a snap shot in time. Organizations compliant at the time of an audit can theoretically be knocked out of compliance before the next one by a single control change.

"Security is a 24/7, 365-day-a-year thing," said Bob Russo, general manager of the PCI Security Standards Council.

After the Heartland breach, which is widely considered to be the largest criminal breach of card data ever, the company began pushing for an industrywide adoption of end-to-end encryption. It was too late to avoid the breach they experienced, but not too late to help avoid one in the future.

"Any business foolish enough to simply make -compliance' their only security goal has made a serious, and sometimes fatal, mistake," opined Michael Maloof, CTO of TriGeo Network Security. "Companies have embraced the intent of the regulations and have accepted the responsibility to secure their networks, train their employees and maintain a state of vigilance to ensure their systems remain secure. Other companies see PCI as yet another tax on their businesses and do everything they can to pay as little as possible-that is, until they are forced to pay for the consequences."

Those consequences can be costly. Earlier this year, a survey performed by the Ponemon Institute found that the average cost of a data breach-from detection to notification and response-increased to $202 per record in 2008 from $197 a year earlier. Then there is the cost of lost business and a damaged reputation.

"I think what happened in the case of some of these breaches ... that should be onus enough to make you think about what you need to do to become secure," Russo said. "These are disruptive, to say the very least, to your business. Your reputation suffers, not to mention the fact that there are fines that are handed down by the [payment card] brands, but again the fines are the least of it.

"The way to not have to go through this is to comply with the standard," he added.

Beyond the requirements themselves, the PCI council has reached out to retailers to improve security. For example, the council has opened up the training it provides to assessors to security pros working for retailers so they are trained the same way the PCI auditors are.

"Most organizations seem to have a checkbox attitude toward PCI and want to use PCI as an excuse if anything bad happens. ... There seems to be significant misunderstanding between the concepts of compliance, validation and security," Forrester Research analyst John Kindervag said. "Compliance incentivizes security. PCI exists because companies who took credit cards didn't have adequate basic security, and now it is being forced upon them."