Is The PCI DSS Enough?

The Payment Card Industry Data Security Standard (PCI DSS) was created by the five major credit card companies to guide merchants that store, process, or transmit credit card data toward creating a safe environment for those transactions. The goal was to help merchants identify and correct problems before hackers can take advantage of them.

The question then becomes: is the PCI DSS enough to do this?

Security breaches are a dangerous thing for both merchants and consumers. The detrimental effects on a consumer losing their personal data should be obvious. The effects to merchants can be far reaching and just as painful. The consequences for a merchant could include regulatory notification requirements, loss of reputation, loss of customers, financial liabilities, and, of course, litigation.

As security breaches are analyzed after-the-fact, there have been a number of common weaknesses that allowed unauthorized access. These included: storing magnetic strip data, inadequate access controls around poorly installed POS systems, default passwords still in place, unnecessary or vulnerable services still in place, poorly coded web applications, missing or outdated security patches, no logging, no monitoring, and a lack of segmentation in the network.

The good news is that the PCI DSS addresses all these problems. If you have reached PCI compliance then, in theory, you have taken care of these weaknesses and implemented the security necessary to protect cardholder data on your system and in transit. If you are compliant, you are then also granted a safe harbor of sorts if you are still breached.

Wait a minute. Still breached? But wasn't PCI DSS compliance supposed to eliminate that possibility? If you can still be breached, what, then, is the point of expending all the money, resources, and time on becoming compliant?

In recent history we've had an example of just this problem. A chain of grocery stores on the east coast suffered a breach and thousands of credit card numbers were stolen. The breach was bad, but not near as bad as some of the other breaches that have made the news. So what was the big deal here?

The big deal was that this chain of stores was validated as PCI DSS compliant. Things should have been safe. They had reached compliance and that compliance had been verified. So what happened?

Immediately the questions were asked: is the PCI DSS enough to protect sensitive information? What will the Payment Card Industry do if all investigations prove that they had strictly followed the proper requirements? Will the PCI Security Standards Council provide that safe harbor, or will they claim that the grocery chain had let the requirements slide at the time of the breach and thereby preserve the integrity of the PCI DSS? Or did the grocery store chain really let their adherence to the standards begin to slide?

We'll have to wait for the final results of the investigation to find many of these answers. However, there are still of number of things that can be learned.

The first is in answer to the title question. Yes, the PCI DSS is enough... to combat those problems that were listed above. Is this a good thing? Yes. These are problems that have caused a lot of trouble in the past, and taking care of them is the first step toward stronger security.

Then what about the grocery store example? How can you maintain strict adherence throughout the year when other business concerns demand your attention?

A popular option these days has been to remove the PCI DSS compliance measures from your company's area of responsibility. Outsourcing your payment processing needs is one way of making sure that the personal data you need is stored with a company that is uniquely positioned to maintain the strictest adherence to the PCI DSS.

So is the PCI DSS enough? The answer appears to be both yes and no. It is enough to start building strong security. No, it's not enough if you don't maintain it. It appears that continual maintenance is just as important as the initial compliance.

Andy Eliason is a writer at Main10, Inc. If you'd like to learn more about the PCI DSS, or outsourcing payment processing, visit Braintree Payment Solutions today.