The recent Verizon PCI Compliance Report highlighted that there’s a link between PCI DSS-compliant organizations and their ability to ward off cyber-attacks. Even though PCI DSS got implemented more than 12 years ago, cybercriminals still breach companies to access cardholder data. In recent years, the number of cybersecurity breaches has increased significantly.
Compliant but Not Secure
Typically, cybercriminals target both companies that are PCI DSS-compliant, as well as those that are non-compliant. One of the main misconceptions relating to PCI DSS compliance is that it makes organizations hacker-proof. PCI DSS doesn’t guarantee security, and your company’s compliance status doesn’t automatically mean that it’s safe from cybercriminals.
Compliance only shows that you have enacted measures for preventing breaches. By complying, your company will minimize the probability and severity of data breaches. Compliance also provides a legal, safe harbor that protects you from costly litigation in the aftermath of a breach. However, you’ll still be vulnerable.
The PCI DSS compliance checklist includes security controls that address the most prevalent risk scenarios as well as known attack vendors that have been mapped out by the PCI SSC. Although the organization regularly updates its regulatory standards, standards, it is impossible to anticipate all possible attack scenarios. As the PCI Security Standards Council works to monitor possible threat scenarios and improve your ability to deal with them, you must secure your cardholder data environment.
The Verizon report pointed out that organizations that have met compliance standards are still vulnerable to breaches because the security controls implemented after a PCI audit was not sustainable. Likewise, some of the security controls that organizations implement are not resilient enough to withstand threats that emerge after the first PCI certification assessment. Therefore, it’s safe to assume that following the initial assessments, most organizations think that they are compliant, something that puts them at the risk of security breaches.
Why Do Compliant Organizations Get Breached?
You’d be forgiven to think that PCI DSS only entails passing your annual compliance assessment and obtaining certification. However, it’s a mistake to base your compliance efforts on such point-in-time events since you will fail to maintain compliance in between assessments. It isn’t surprising that most organizations that get breached lack mature compliance programs in place.
After acquiring certification, you should work to maintain your compliance status and prevent breaches by:
- Identifying locations where you’ve stored cardholder data so that you define your compliance scope
- Gaining control and visibility of all payment channels that could lead to unknown cardholder data flows
- Monitoring security controls periodically
- Implementing security awareness programs targeting your organization’s stakeholders. This will ensure that all the PCI DSS security controls are understood and applied accordingly
- Undertaking self-assessments without validating any security controls.
Do Unrealistic Expectations Make You Vulnerable?
Often, organizations set unrealistic expectations for their security assessors. These organizations expect the QSAs to understand business processes better than in-house staff, uncover vulnerabilities, and locations where cardholder data is stored. Although some QSAs might be familiar with your business and the industry in which it operates, it’s difficult for each QSA to be an expert in all sectors.
To make it easier for a QSA to discover all cardholder data storage locations, consider automating your processes. Otherwise, it would be unfair to blame a QSA for failing to identify undisclosed files. Therefore, some organizations get breached because their cybersecurity assurance rests on naïve expectations. The lack of due diligence during your compliance efforts can also prove to be detrimental.
Cyber Security Breaches and Human Error
It’s a well-known fact that human actors are the weakest link within the cybersecurity chain. Therefore, you shouldn’t expect your employees to be perfect when dealing with cardholder data. Instead, anticipate the fact that people might fail, and that human error is inevitable. For instance, IT staff may forget to apply security patches, or they may even misconfigure security settings.
Irrespective of the security controls that you might have in place, cybercriminals can still breach your cardholder environment by taking advantage of human error. Therefore, awareness programs are needed to arm employees and other stakeholders with knowledge on how they can minimize typical human errors that lead to breaches.
Lots of companies still struggle with PCI DSS compliance. Likewise, many companies still lose data to hackers even after obtaining PCI DSS compliance certification. Due to the wave of data breaches that we’ve witnessed in the past few years, there’s a need for you to not only comply with PCI DSS standards but also ensure that necessary security measures are in place.
There are endless reasons why organizations that are seemingly PCI DSS compliant still fall victim to data breaches. Compliance shouldn’t make you think that you are not vulnerable. Instead, it means that you should keep up with your compliance status to ensure that risks get minimized to almost zero.