Making PCI Compliance Business as Usual
One of the most notable aspects of the PCI 3.0 Security Standard is its emphasis on making PCI compliance “business as usual.” For most organizations, fostering a culture that protects payment card data means an end to business as usual, for it means replacing your current approach with a different paradigm—one that is much more security-aware. Because the spirit of PCI compliance involves forging new behaviors, you’ll actually be redefining what “business as usual” means when you provide proper training and reinforcement that is targeted at developing new habits. Before long, you’ll have a new, more secure “business as usual”—and that’s the goal.
Developing such an approach is in sharp contrast to the “check-the-box-and-forget-it” approach to compliance that seems to prevail. Proper PCI compliance means making security a proactive – instead of reactive – process. Christopher Strand, compliance consultant at Bit9, noted, “Compliance in the past had a tendency to be reactive since it was normally done in order to meet the annual or point-in-time obligation or review.” Bob Russo, general manager of the PCI Security Standards Council, agrees: “Though a company might be certified as PCI compliant, it’s important to remember the compliance certification is just a snapshot in time. You can be in compliance today and be totally out of compliance tomorrow, because of a failure to implement some required small security measure. This is really about security. Not about compliance. These are the bare minimum things you should be doing.”
Russo goes on to assert that companies that do implement all required PCI controls should be well-protected against data breaches. “The standard not only prescribes controls for blocking security intrusions,” he says, “but also for detecting them in the event that an intrusion occurs. Companies have often complained that they suffered a data breach even though they were fully certified as being compliant at the time of the breach. In reality, though, with every major payment card data breach in the past, companies were not PCI compliant when the breach happened.”
Finally, the security awareness training to effect true “business as usual” PCI compliance—the heart of the standard—makes good financial sense. Chris Camejo, director of assessment services at NTT Com Security (a provider of information security consulting services), observed, “Current estimates of the cost of a breach run between $200 and $300 per compromised card, which would mean Target would be looking at as much as $8 billion on the low end.”
PCI awareness training—mandated by the standard—will not only position your organization to avoid or mitigate breaches, but boost your trustworthiness overall, yielding greater loyalty and profitability in the bargain.