PCI can be a real InfoSec
wake up call, as in merely attempting to comply with the many PCI DSS
requirements, it can provide benefits across the business, where before the business were previously completely unaware of
the risks, or perhaps hadn't being treating risks with the proper regard. Forcing them into action to meet the specific PCI requirements, often results in security improvements across the entire business, so not just tightening the security of credit card data in their possession, but personal and confidential information as well.
Love it, Or Hate, PCI does business good
The truth of PCI DSS is most of its laid out 260 odd individual requirements,
which set the minimum baseline for PCI compliance, are just best industry
information security practices anyway. So businesses are supposed to be doing
the lion share of them already. What PCI DSS does in the small to medium
business environment (when taken seriously), it forces businesses to take note and ultimately implement these best practices, and in most cases applying security improvements holistically across the business. For instance measures such as establishing a good patch
management process, Anti-Virus deployment and information security policies are
applied and benefit the entire business, not just within the cardholder
environment, so the business ends up killing many data protection birds with one stone.
Today 90% of the card fraud in the UK occurs within level 4 merchants (the
smallest of businesses), specifically due to web application vulnerabilities, vulnerabilities
which have been around for over 10 years. Yet if these businesses were PCI DSS
compliant, it would be fair to say the majority of these breaches just wouldn't occur This statistic is actually testament to the success of PCI DSS in
medium to small businesses, in that larger companies (level 1 to 3), have been
chased and forced to address compliance with PCI DSS by acquiring banks, opposed to the highly breached small businesses which have yet to be vigorously chased for compliance, but given the
latest fraud stats, they soon can expect to be chased for compliance.
I am not saying PCI DSS is perfect, lord knows it isn't, and I do understand
the arguments made by infosec leaders working within larger enterprises, which already focus on information security
as a business service priority. But I find it very hard to argue that PCI DSS
is not helping medium to small businesses not only protect cardholder data, but
to improve their general information security, even if they aren't strictly fully compliant with the standard. As in trying to comply and to meet most of the PCI
DSS requirements, it seriously reduces their breach risks, not just of
cardholder data, but with the personal data they hold as well.
One final point I want to be crystal clear on, a business cannot be considered PCI DSS compliant if they are not meeting all of the PCI DSS requirements, not just on the date of PCI assessment, but for 365 days a year ,7 days a week, 24 hours a day. The QSA's successful Report on Compliance will not save a business from fines, if a breach were to occur due to the business not meeting just a single compliance requirement. How many businesses are truly compliant in this way is up for debate.
