PCI DSS: Industry High-Bar or Your IT Security Starting Gate?

Let’s make a quick distinction: maintaining PCI DSS compliance isn’t the same as maintaining the security of payment card data. Though complying with the Payment Card Industry Data Security Standard (PCI DSS) will help you protect sensitive information, it may not prevent a data breach.

PCI DSS requirements provide a framework to comprehensively audit your IT security posture. But maintaining PCI DSS compliance should be part of a broader cybersecurity strategy that protects against threats from multiple fronts.

Even PCI-compliant organizations have been victimized by breaches, SearchCompliance.com noted in an article on how PCI DSS compliance fails to raise the bar on financial fraud. Heartland Payment Systems, which had account information on 130 million credit card users stolen, confirmed that data was lost after the company's PCI DSS compliance audit was complete.

Data breaches and the damages associated with them continue to mount despite the efforts of regulators and organizations. 

• Worldwide spending on information security products and services will reach more than $114 billion in 2018, an increase of 12.4 percent from last year, according to the latest forecast from Gartner, Inc. In 2019, the market is forecast to grow 8.7 percent to $124 billion.
• Despite the above, cybercrime is still projected to reach $6 trillion by 2021, double what it was in 2015, according to the 2017 Annual Cybercrime Report from Cybersecurity Ventures.
• The average cost of a data breach globally increased 6.6 percent to $3.86 million in 2018, according to the 2018 Data Breach Study conducted by Ponemon Institute.

A Square article on what you need to know about PCI compliance notes that the failure to comply with PCI standards and any resulting data breaches could produce damaging consequences such as lost business, legal costs, fines and penalties, and higher subsequent costs of compliance. Your company could even be forced to close if your business depends on payment card data and you are breached, whether you are PCI compliant or not.

Don’t do a PCI DSS assessment just to get a certificate. Focus on security as the reason.

If you implement your security posture in the right way, your compliance should be a byproduct of your data security. Consider compliance a starting point to understand how to aggressively defend yourself from attacks.

Test for Vulnerabilities

Regularly conduct penetration testing to spot any vulnerabilities. Go beyond the minimum requirements for PCI compliance.

• Web Application Testing: Annual web application testing addresses testing and reporting requirements in PCI DSS Requirement 6.6.
• Vulnerability Scanning: Quarterly vulnerability scans from an approved scanning vendor (ASV) addresses scanning and reporting requirements in PCI DSS Requirement 11.2.
• Penetration Testing: Annual penetration testing addresses testing and reporting requirements in PCI DSS Requirement 11.3.

SearchCompliance.com reported that some cybersecurity experts “... worried over the low bar set by PCI DSS and other industry standards, which do a poor job of testing for sophisticated Web hacks that exploit holes in Web applications or take advantage of loose business logic.” The article also noted, “Flexible, risk-based testing and compliance strategies will address the challenge posed by a broad spectrum of smart (and dumb) attacks.”

Adopt the NIST Cybersecurity Framework

The U.S. Department of Commerce’s National Institute of Standards & Technology (NIST) created the voluntary NIST Cybersecurity Framework to protect critical infrastructure through standards, guidelines, and practices. It is meant to help organizations better understand, manage, and reduce their cybersecurity risks.

The Framework can help your organization prioritize your cybersecurity investments and increase your returns by determining which activities are most important to assuring critical operations and service delivery. The Framework Core covers five concurrent and continuous functions.

• Identify
• Protect
• Detect
• Respond
• Recover

“When considered together, these Functions provide a high-level, strategic view of the lifecycle of an organization's management of cybersecurity risk,” the NIST explains. “The Framework Core then identifies underlying key Categories and Subcategories for each Function, and matches them with example Informative References, such as existing standards, guidelines, and practices for each Subcategory.”

Adopt a Zero Trust Policy

Zero Trust is a model for more effective security because it requires organizations to consider threats internally as well as externally, according to a CIO.com article: “The Zero Trust model of information security basically kicks to the curb the old castle-and-moat mentality that had organizations focused on defending their perimeters while assuming everything already inside didn’t pose a threat and therefore was cleared for access.”

Some data breaches have occurred because hackers have capitalized on lax internal security after penetrating organizational firewalls. A Zero Trust policy provides your organization with additional protection through measures such as multi-factor authentication and policies such as limiting access to data to the minimal amount users need to do their work.

PCI compliance does not equal security. Focusing on securing your payment card data comprehensively instead of simply complying with the PCI DSS will help you protect against data breaches holistically.