If you are only meeting the minimum standard to comply with PCI DSS regulations are you really secure? One only has to take a look at the breaches at Target, TJX, or Home Depot to see the damage that can be inflicted upon a retailer. Why it is that compliance does not equal security?
PCI DSS applies to all entities, including federal agencies that process, transmit and store cardholder data. Any operation that takes a credit card payment from a customer needs to meet PCI DSS compliance. Organizations that fail to maintain compliance with the PCI DSS can be subject to fees and penalties. What organizations need to understand is that PCI DSS does not go far enough to keep you protected.
1. Always new threats on the horizon
In September of 2014, Home Depot was breached, resulting in the exposure of millions of customers’ debit and credit card data. But it is not only the large retailers who have experienced data loss, those are just the ones you hear about.
The 2014 Verizon Data Breach Report states that in 2013 there were 63,437 security incidents from 50 participating Global Organizations with 1,367 confirmed breaches. The sophistication of the hacking community is on the rise and there are always new threats on the horizon. Cyber criminals are looking to break into retailers’ point-of-sale (POS) systems to steal customer data and sell it on the black market to buyers. Where there is a profit to be made, these hackers will continue to evolve their tactics to find a way into the system.
2. Compliance is a minimum standard to meet
While compliance can serve as a prime motivator for improving security it is only designed to help you comply with the laws that protect the storage of sensitive cardholder information. Compliance with the law does not guarantee your data is safe.
If you do store, process and/or transmit account data, PCI DSS compliance only requires that the financial transactions are carried out securely and your customers’ cardholder data is stored securely during and after transactions. It does not define how that data should be stored and as it has been proven time and again that minimum protections do not stop would be hackers.
3. Compliance does not equal security
Many organizations make the mistake of believing their major efforts to achieve compliance means that their data will be secure. This just isn’t true. The pace of retail data theft has not slowed down with companies such as Dairy Queen, Neiman Marcus, and Staples all suffering losses. The 2013 Target attack that resulted in a loss of over 70 million credit and debit card numbers was a wakeup call to the community. At the time, the company had been recently certified as PCI compliant. The company has since undertaken a concerted effort to revamp its information security practices, realizing that protecting sensitive data involves both security and compliance.
One way to ensure the security of customers is to not store any cardholder data. However this does not work in a case where the attack takes place at the point of sale. Two-factor authentication has been identified as a way to protect remote access at the application level. Moving forward there will be new PCI DSS standards brought forth, don’t be fooled into thinking that they will be enough to protect your organization. You will need to go above and beyond.
In order to build and manage a security posture that goes far beyond compliance to protect data, consider working with technology experts. Patriot Technologies is a system integrator experienced with retail customers that can identify the best practices and technologies that are right for your organization. Patriot works with best-in-class technology partners to offer a comprehensive and secure solution that will meet your business needs.