Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • IT Management
    • Small Business

    PCI Compliance Only the Start of Security

    By
    Brian Prince
    -
    July 30, 2009
    Share
    Facebook
    Twitter
    Linkedin

      When the Network Solutions breach was reported last week, the usual buzz about whether or not the company was PCI-compliant began almost immediately.

      Similar talk surrounded the situations with Heartland Payment Systems, Hannaford Bros. and just about every other data breach that has happened since the Payment Card Industry Data Security Standard (PCI DSS) was first established. But the question then becomes whether PCI is truly a useful security metric if so many breached businesses seem to be compliant.

      According to security observers, the answer is yes. The problem is the mindset many businesses have.

      “The worst part of passing a PCI audit is that it creates a false sense within upper management that your systems are fully protected,” said Phil Neray, vice president of security strategy at Guardium. “Management needs to understand that security and compliance are continuous, ongoing processes, not one-time -check-off’ events, and they need to prioritize the people and budgets to make this happen.”

      PCI compliance, he continued, provides a set of guidelines and a starting point for security and application teams. But it doesn’t replace a detailed analysis of insider and outsider threats in an organization, or rigorous attention to processes for closing security holes, he added.

      PCI compliance is, after all, just a snap shot in time. Organizations compliant at the time of an audit can theoretically be knocked out of compliance before the next one by a single control change.

      “Security is a 24/7, 365-day-a-year thing,” said Bob Russo, general manager of the PCI Security Standards Council.

      After the Heartland breach, which is widely considered to be the largest criminal breach of card data ever, the company began pushing for an industrywide adoption of end-to-end encryption. It was too late to avoid the breach they experienced, but not too late to help avoid one in the future.

      “Any business foolish enough to simply make -compliance’ their only security goal has made a serious, and sometimes fatal, mistake,” opined Michael Maloof, CTO of TriGeo Network Security. “Companies have embraced the intent of the regulations and have accepted the responsibility to secure their networks, train their employees and maintain a state of vigilance to ensure their systems remain secure. Other companies see PCI as yet another tax on their businesses and do everything they can to pay as little as possible-that is, until they are forced to pay for the consequences.”

      Those consequences can be costly. Earlier this year, a survey performed by the Ponemon Institute found that the average cost of a data breach-from detection to notification and response-increased to $202 per record in 2008 from $197 a year earlier. Then there is the cost of lost business and a damaged reputation.

      “I think what happened in the case of some of these breaches … that should be onus enough to make you think about what you need to do to become secure,” Russo said. “These are disruptive, to say the very least, to your business. Your reputation suffers, not to mention the fact that there are fines that are handed down by the [payment card] brands, but again the fines are the least of it.

      “The way to not have to go through this is to comply with the standard,” he added.

      Beyond the requirements themselves, the PCI council has reached out to retailers to improve security. For example, the council has opened up the training it provides to assessors to security pros working for retailers so they are trained the same way the PCI auditors are.

      “Most organizations seem to have a checkbox attitude toward PCI and want to use PCI as an excuse if anything bad happens. … There seems to be significant misunderstanding between the concepts of compliance, validation and security,” Forrester Research analyst John Kindervag said. “Compliance incentivizes security. PCI exists because companies who took credit cards didn’t have adequate basic security, and now it is being forced upon them.”

      Brian Prince
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×