PCI DSS compliance can help with security; don’t ignore it
When it comes to understanding the value of data, organizations need to realize that sensitive information is gold dust.
Today, the digital transformation boom has increased the frequency of data collaboration between the consumer and enterprises. In terms of importance, financial and credit card data sits firmly at the pinnacle of the data hierarchy. Unfortunately, cybercriminals are well aware of this fact and actively seek out this highly sensitive and lucrative information. To help prevent and protect against credit card fraud, hacking and other financial related threats, the Payment Card Industry Data Security Standard (PCI DSS) was created by the Payment Card Industry Security Standards Council (PCI SSC). This requires all businesses that accept credit card payments from the main card providers like Visa, Mastercard, American Express to comply to the set of guidelines set forth by PCI DSS, regardless of the size of the business or whether card information is collected.
Whilst this was a welcomed moved to combat the rising threat of credit card fraud, PCI DSS compliance rates haven’t been reciprocated from businesses today; with research from Verizon’s 2019 Payment Security Report revealing that in 2018, only 36.7% of businesses are fully compliant. In fact, there has been a decline since in the number of enterprises adhere to PCI DSS. In 2016, 55.4% were compliant, but this dropped in 2017 to 52.4%. This is certainly a concerning trend and a warning for enterprises that are ignoring expert advice for securing critical information.
Why the lack of compliance?
If a breach is investigated and it was determined the business was PCI DSS non-compliant, then they would be liable and risk paying a fine of up to $500,000. Given the amount of data processed at any one time, enterprises may view compliance with data protection and privacy standards like PCI DSS as time-consuming or non-compulsory. However, with consumers more aware of their rights, and knowing what is expected from enterprises in terms of data security, compliance can no longer be brushed under the carpet. But what might be the reason for an organization not to be PCI DSS compliant? Perhaps the organization has adopted a poor or inconsistent corporate approach. When you examine the research findings, one could assume that boardrooms are either viewing compliance nonchalantly or as a one-time fix. Indeed, this is attitude is flawed for two reasons:
Compliance is regularly policed and requires constant assessment to ensure standards are being met
Failure to be compliant will be met by substantial fines for enterprises that could result in significant financial losses
Critically, if PCI DSS compliance rules are found to be intentionally ignored or abused, the guilty party may be excluded from processing card payments. Therefore, it is in the best interests for enterprises to be proactive and continually ensure they are meeting compliance. Ignoring this issue will only further increase the number of organizations that are non-compliant with PCI DSS.
Another issue facing organizations today is the constant noise within the security industry about new data security solutions that are backed by the latest technology. Enterprises are investing large sums in new defence technology to address many of the requirements set out by PCI DSS. For example, a number of organizations are still relying on compensating controls to meet Requirement 3.4 which demands the Primary Account Number (PAN) be rendered unreadable wherever they are stored.
However, when push comes to shove, organizations are quickly realizing that these compensating controls are not solving the issues and, instead, are actually failing to deliver on comprehensive data protection. This proves no shortcuts can be taken when securing financial data or personally identifiable information (PII).
Security a steppingstone to compliance
As it stands, organizations are following the wrong approach to data security which is negatively impacting their chances of being PCI DSS compliant. What is required is a holistic, data-centric strategy which will implement the necessary safeguards to maintain the protection of critical data and compliance. One of the key elements of this defence would involve tokenization technology. This is because tokenization renders sensitive data unreadable to unprivileged users, no matter if the data is in motion, in use or at rest, and ensure compliance with PCI DSS Requirements 3 and 4. This is beneficial as the data cannot be traced back to a specific individual. Given the importance of data security in this day and age, it’s high time boardroom executives and security departments comprehended the notion that compliance is not security. Rather, its security that leads to compliance, which should be the mantra to follow.
As the PCI SSC is continually reviewing and updating the PCI DSS standards to better protect the payment industry, it's critical for organizations to stay up to date and review their current security policies to ensure both security and compliance is being met.
This article was contributed by Trevor Morgan, Product Manager at comforte AG