Some very common phrases thrown around these days are:

“compliance does not equal security.” “You must go above and beyond compliance,”

These are incredibly frustrating statements for merchants who spend all that time and money staying compliant and implementing all the necessary security controls. So, is it true?

Those that make this statement either see compliance as passing an audit at a point in time or are just repeating a confusing catchy phrase. A better definition of compliance is a baseline of on going security measures that will reduce the risk of a breach. The standards imply that compliance must be continuous. They also imply that compliance cannot guarantee security as it outlines measures to take in the case of a breach. In fact, a security guarantee is an impossible goal with the current technology the credit card industry makes available to merchants.

Security is a complex process. To protect cardholder data you must scan and test your servers and applications and address all known vulnerabilities quarterly. You must have the proper segmentation and use firewalls between trusted and un-trusted networks with the appropriate restrictions on allowable traffic. You must encrypt transmitted and stored data and handle cryptographic keys correctly. You must use AAA, intrusion detection, file integrity monitoring, and anti-virus tools which all feed an advanced log management system to proactively detect and suspicious activity. You must restrict access to the CDE based on a least-privilege policy to reduce the risk of the internal threat. You must monitor everything daily and review all processes, configurations, and personnel bi-annually. And so on and so on. If you are adhering to the compliance requirements continuously you are taking great steps to reduce the risk of a breach and should not be held accountable.

This is not to say their aren’t holes in the compliance standards. The lack of a requirement for end-to-end encryption in PCI is an obvious hole that is being addressed, but the technology is not easily affordable or available to merchants in many cases. The industry allowing QSAs to audit their own security applications is another flaw.

Holes aside, the only way today for a merchant to be one hundred percent secure from a breach is to not transmit, process, or store credit card information. This does not necessarily mean they’d never be able to allow their customers to buy with credit. It means the credit card industry has not provided the technology necessary to relieve merchants of the need to protect credit card information. They’ve provided merchants with an inherently insecure mechanism to handle financial information yet hold the merchant accountable for attacks that exploit these flaws.

The last time the credit card industry made a big leap in technology in the US was in the 70s when they went from the carbon paper “ka klunk” method to using a magnetic stripe to read credit card information. In Europe, they’ve moved to the chip and pin but even that doesn’t solve the entire problem. With smart devices that can fit in wallets, the internet, and the ubiquity of mobile services, the foundation of technology is there to solve the whole problem. It’s time the credit card industry made the leap to the 21st century.

In the mean time, which may be a while, the best merchants can do is not get discouraged by the complexities of compliance and to truly take it seriously. It will make you more secure, reduce risk, and protect your most valuable asset, your customer.

Tags: ,