We've all seen the news stories about threats to data security, including recent disclosures of large-scale breaches. So it's understandable--perhaps inevitable--that questions would surface about the viability of the Payment Card Industry Data Security Standard. After all, the PCI DSS has been largely touted as one of the best tools to protect cardholder data and fight breaches, and yet they continue to occur. In fact, in that light, some now suggest that PCI DSS has failed.
But rumors of the demise of the PCI DSS are premature--as well as counterproductive to the long-term security of our industry. The standard hasn't failed, nor has the industry in its efforts to keep payments secure. Thanks to massive investments and innovative solutions from our industry, fraud levels remain near their all-time low.
The reality is that fighting payment fraud is complex and multidimensional; there's simply no single solution to make fraud go away. Without a collective and multilayered approach, the payment industry would be vulnerable. Together, we can stay ahead of criminals and maintain confidence in electronic payments.
Standards aren't the same as security. We need to remember that PCI DSS compliance is different than validation, which is merely a starting point, not the finish line. Any company handling consumer data needs to realize that security isn't confined to an annual assessment. Companies that certify they have achieved PCI DSS compliance at a point in time or within a limited scope of their systems aren't relieved of their responsibility to keep data secure every day and across their entire organizations.
In today's environment, smart companies should consider several steps for implementing an effective security strategy including:
- Assess vulnerabilities carefully and focus on risk mitigation.
- When determining the scope of an assessment, consider all systems that handle cardholder data as well as any connected networks, especially public-facing systems like corporate Web sites.
- Remember that PCI DSS requirements should be applied to all relevant systems, not only those selected by an assessor or internal audit for review.
- Develop a consistent approach to integrate PCI DSS controls throughout organizational processes.
While no lock is burglarproof, a responsible store owner wouldn't leave at night without locking every door and window. Similarly, the PCI DSS has proven to be a highly effective foundation of minimum security standards when properly implemented across all systems handling cardholder data. In fact, no compromised entity to date has been found to be in compliance with PCI DSS at the time of the breach. In all cases, forensic investigations have concluded that compliance deficiencies have been a major contributor to the breach.
Increased PCI DSS compliance has reduced the storage of full magnetic-stripe data, which has helped mitigate the impact of breaches. As a result, criminals have migrated away from stored data, now attacking data in transit. Yet, if implemented correctly, PCI DSS also can help thwart attempts to access a company's systems and "sniff" data in motion. Compliance with PCI DSS has proven effective in preventing hackers from accessing a company's systems and detecting and mitigating the effects of unauthorized intrusions if they occur.
In sum, there's no silver bullet when it comes to protecting consumer data. As criminals get better at what they do, our efforts to stop them must keep pace. We should continue to explore new tools to help prevent or limit fraud in our system, including encryption, authentication technology, and customer alerts. But while we evaluate the costs and merits of these additional solutions, we must continue to deploy the best tools we have available today to fight fraud--starting with the PCI DSS. PCI DSS compliance simply remains the best defense for businesses against the loss of sensitive consumer information.
-- Adrian Phillips, Deputy Chief Risk Officer, Visa