PCI DSS compliance is serious business for anyone who processes or accepts major payment cards. Retailers or payment processors who are found to be in violation of PCI DSS can be fined millions of dollars, and they may even be stripped of their ability to accept major credit cards.
However, PCI DSS compliance standards are highly complex, and achieving compliance can be an expensive, tedious process. Not surprisingly, many organizations – already facing budget and staffing constraints – feel that once they have achieved compliance with PCI DSS, they have done everything they need to do to secure their customer data. Their cyber security begins and ends with PCI DSS compliance.
After these same organizations are breached, their spokespeople often tell the media (and the cyber security firms they hire to clean up the mess), “We have no idea how this could have happened. We were compliant.”
PCI DSS Compliance Alone Does Not Guarantee Data Security
While PCI DSS compliance reduces the risk of data breaches, it does not eliminate them. Both Target and Home Depot were compliant with PCI DSS when their POS systems were breached, exposing tens of millions of consumer credit card numbers. Target had just gotten its PCI DSS compliance certification only two months prior to the hack.
Unlike HIPAA, the healthcare compliance standard that is heavy on documentation and procedures and light on technical specifics, PCI DSS goes into quite a bit of detail regarding best practices that retailers and payment processors must adopt. For example, PCI DSS compliance requires changing default passwords on system components. However, all of these technical details can provide organizations with a false sense of security. PCI DSS does not cover every single security measure every organization must take to protect its data, nor could it do so. Technology is advancing too quickly for any set of standards to keep up. Mobile technology, cloud applications, and Internet of Things (IoT) devices are exploding in popularity, and with each new application and gadget comes a whole new set of vulnerabilities for hackers to exploit. By the time a new set of technical standards was issued, they’d already be out of date.
PCI DSS also cannot address the specific risks in every data environment at every organization, and it cannot account for the weakest link in every organization’s cyber security: its people. Human error, negligence, and purposeful malicious activity account for nearly half of all data breaches. That’s why social engineering techniques are so popular among hackers. An organization can be PCI DSS compliant – and then, an employee clicks on a link in a spear phishing email and inadvertently unlocks the front door to the company’s system.
Customer Data Security Begins, But Does Not End, With PCI DSS Compliance
PCI DSS compliance and data security work together to protect your organization’s data. A compliant organization has the foundation to build out a cyber security plan that addresses the specific risks in its data environment. At the same time, a proactive cyber security plan helps organizations achieve and maintain compliance.
The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from internal threats and external security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.
Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization.