In a recent Verizon Report, studies found that only 21 percent of companies were fully compliant with PCI Data Security Standards (DSS) at the time of their Initial Report On Compliance (IROC). While this number seems low and even somewhat troubling, it’s also understandable. We’re in communication with companies as they evaluate PCI security options on a daily basis. I’ve come to realize that that many companies struggle to PCI-DSS from the right perspective. Focus is all too often placed on simply achieving compliance at a point in time rather creating a secure environment that maintains compliance over time.
When a distributed enterprise is tasked with creating a thorough compliance program, that program consists not only of making technology choices to achieve compliance, but having resources in place to maintain that compliance. Too many people have their sights set on the details of how to achieve PCI-DSS compliance, and they sometimes forget that the goal is to be secure and maintain compliance to protect the invaluable customer and store data, and keep up with industry standards.
I oftentimes think that a store striving to become PCI-DSS compliant after they have been audited is comparable to someone trying to get healthy after they have visited the doctor. You see, taking one simple precaution to achieve compliance is similar to the person eating only carrots in order to lose weight. That may make the person healthy in one aspect by losing weight and looking thinner from the outside, but it doesn’t necessarily mean they are living a truly healthy lifestyle. To maintain a healthy lifestyle, that person may need to adopt a broader set of practices such as getting regular exercise, eating properly, and taking vitamins, amongst other things. The enormity of changing so many things, the impact to the daily routine, etc. can make “being healthy” just too daunting to take on. Thus living and maintaining a truly healthy lifestyle is hard but changing one thing like eating just carrots may be achievable in the short term.
So, what the Verizon report highlights is that many organizations have been successful at addressing some areas or requirements of PCI but not all of them. Many organizations have put in place a firewall but don’t have a sound approach for IDS or log management. They’re eating carrots – they’ve been able to tackle one achievable item but have not yet been able to address all things the DSS outlines for being secure and compliant. The result is they’re among the 79 percent of organizations not fully compliant at the time of their IROC. More importantly they’re not yet been able to fully establish a secure data environment.
Just like maintaining one’s health, maintaining a secure data environment must be approached holistically and practiced on a continuous basis, not something just accomplished at a certain point in time with only limited actions. Merchants must have the resources available to make sure their networks and data are secure. When they don’t have the time or resources, security and PCI compliance can suffer, simply because it is beyond their means. As a security service provider, these are the instances where Cybera helps, because we enable retailers that are forced to work within constraints to maintain security and compliance regardless of their limited time or resources.
The analogy may be simple but the message is clear – being secure and as a result complaint is tough. What are the areas in which you struggle the most? What’s the most difficult for your organization to address?
-Dan Glennon
