Another week, another credit card breach? It's seemed that way lately with the recent string of big-name companies like JPMorgan Chase, Home Depot, Kmart and now potentially Staples falling prey to cybertheft. One question on many IT professionals' minds: Is compliance with PCI DSS standards enough to protect our data?
The Payment Card Industry Data Security Standard (PCI DSS) was introduced as set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders' personal information. It's become clear, however, that PCI DSS standards don't represent a catch-all system for keeping payment information safe. In SearchCompliance's recent #GRCchat, site editors and fellow tweeters discussed the effectiveness of PCI DSS compliance regulations and proposed improvements that might better secure credit card data.
Do the stipulations outlined in PCI DSS compliance requirements represent sound customer data protection strategy? Why or why not?
Participants, including SearchCompliance Site Editor Ben Cole, agreed that meeting PCI DSS standards is a solid foundation for companies, but it's not enough to totally assure data protection. In other words, PCI compliance doesn't mean you can "set it and forget it" when it comes to protecting payment information:
One participant pointed to risk management and cost control as important considerations for companies looking to go above and beyond the PCI DSS standards, touching off a dialogue on security and customer convenience in retail companies.
What are some specific instances in which PCI DSS compliance processes are lacking from a customer data protection standpoint?
When discussing the challenges around PCI DSS compliance, participants noted that unnecessary complexities can distract organizations from their larger security goals. Streamlining the process can allow organizations to spend more time and energy monitoring data flow:
Another participant called attention to a lack of proper patch management -- particularly surrounding point of sale (POS) devices -- as potential downfalls in securing customer payment data. Regularly installed patches ensure the highest possible level of vulnerability management, he said, and companies need to do a better job of monitoring overall system health to help prevent vulnerabilities:
Q2 Exposing Cx data through unpatched POS devices an obvious & seemingly stupifying lapse #grcchat— knowlengr (@knowlengr) October 16, 2014
Can better PCI DSS audit processes determine where data security is most vulnerable and helped prevent recent high-profile breaches?
Compliance enforcement and assessment measures, such as audits, are good tools in confirming that security measures and processes are in place, are functioning properly and are kept up-do-date. But legal accordance doesn't necessarily mean better security, according to some participants, who debated the importance of an improved audit process in pinpointing security flaws:
A3 (cont) Audits won’t be much help if businesses just trying to meet minimal compliance requirements to avoid fines #GRCchat— Ben Cole (@BenjaminCole11) October 16, 2014
Do you think adherence to PCI DSS standards is enough to protect your company's consumer data? What more should be done? Please sound off in the comments section below.