The PCI DSS is a set of minimum requirements that are designed to reduce the likelihood of a data breach occurring. The emphasis being on 'minimum set of requirements' and 'reduce the likelihood'. In order to prevent attacks from sophisticated attackers a much higher standard of security is needed. In our recent blog post surrounding the Heartland Court filing documents we gained an insight into how PCI Compliance was viewed by Heartland. Since publishing this post two reports have emerged that give further insight into how PCI DSS is viewed by the wider community.

Imperva, specialists in data security and the Ponemon Institute carried out a survey across more than 500 U.S. and multinational IT organisations. I will not go into detail on the survey findings as you can read a detailed analysis of the findings at darkreading.com or the iTWire. Importantly, the survey findings reveal that roughly 30 percent take PCI security seriously and the others see it as a check box. Had this survey taken place prior to the Heartland data breach then I suspect Heartland would have been included in the 70% of organisations that viewed PCI DSS as a checkbox routine.

The Web Application Security Consortium has published their Web Application Security Statistics report for 2008. The report includes data about 12,186 web applications with 97,554 detected vulnerabilities of different risk levels. The report has some interesting findings but the one relevant to this discussion is that that 99% of web applications were not compliant with PCI DSS standard requirements. We do not have any information on the nature of the web applications included in the survey i.e. were they in the financial services industry but even so this is still a rather shocking statistic.

PCI DSS is a minimum set of requirements but realistically a much higher level of security is required to protect cardholder information. If the industry continues to struggle to implement a minimum set of requirements then the data breaches occurrence will continue to increase.

Dave

--

If you liked this article then you can:

• Subscribe to our Blog RSS feed
• Become a fan of webpayments.ie on Facebook
• Follow us on Twitter

Related Blog Posts:

• PCI Compliance is not a big deal?

Related Articles:

• PCI Compliance Resources
• PCI DSS Forum
• PCI DSS Guide

Recent high-profile credit card data breaches have prompted an upsurge in media coverage of PCI DSS - a data security standard that applies to anyone to stores, processes or transmits cardholder information. Infamously there was the Heartlands System breach, where unauthorised persons hacked into Heartlands computer network. The attackers gained access to confidential financial data associated with approximately 130 million credit and debit cards. At the time the data breach occurred Heartland were officially recognised as PCI DSS compliant and were listed on the PCI Data Security Standards website. This case reminds us of course that PCI compliance is achieved at a snapshot in time i.e. when the audit occurs. 

Of course, the compromised cards were reissued and the financial institutions which had issued those cards incurring significant costs as a result of this breach. Records from the court filing on the resulting case against Heartland by those institutions are now publicly available. The filing gives some insight into how PCI DSS compliance was viewed by Heartland. According to the courts filing Heartland conducted a private webinar for its high level employees, sales representatives and relationship managers on the day after the breach was discovered. During this webinar managers were told that "PCI compliance was not a big deal". 

According to the court filing Visa's Chief Enterprise Risk Officer, Ellen Richey reportedly said that the Heartland Data Breach would not have occurred had the company been vigilant about maintaining PCI compliance. Heartland may have held a PCI Compliance certificate at the time the breach occurred but, as this illustrates this only signifies compliance at audit time. The problem is a lack of ongoing vigilance in maintaining a compliance standard. It is not simply enough to achieve PCI DSS Compliance to pass inspection, the true test is maintaining the standard at all times. In order to do this security must be a priority for the organisation who must understand its importance and aspire to exceed the standards set down by the PCI Security Standards Council (PCI SSC).

Dave

--

If you liked this article then you can:

• Subscribe to our Blog RSS feed
• Become a fan of webpayments.ie on Facebook
• Follow us on Twitter

Related Articles:

• PCI Compliance Resources
• PCI DSS Forum
• PCI DSS Guide