The newly issued PCI Compliance Report from Verizon is quite telling as to how under-reported data breaches are globally.
Hackers are clearly ahead of where PCI-DSS compliance requirements are currently and the use of “Best Practices” in this industry, needs to be done by going above and beyond outdated standards.
The dichotomy of the term “Best Practices”:
A set of guidelines, ethics or ideas that represent the most efficient or prudent course of action. Best practices are often set forth by an authority, such as a governing body or management, depending on the circumstances.
By definition “Best Practices” does not mean using the broken standard.
Page 5 says: “Less than a third (28.6%) of companies had maintained full compliance within a year of validation, and no more than 74% had sustained compliance with any individual Requirement” – Interesting and here is probably why:
The status quo has cybersecurity as an afterthought, cleaning up the mess after the breach. Governance initiatives for many Enterprises conjures up a Reactive, Lackluster, and Unimaginative state of affairs. PCI-DSS; including other Compliance efforts, is dealt with minimal motivation and a “getting it over with” attitude. The substantial finding from Verizon is to be expected as the first step in adopting Compliance is a “Call to Action” for the People supporting these Enterprises. Recent impact to Revenue, Reputation, and Resources for many High-profile Organizations has motivated Technology Leaders to emphasize Governance. It is time for the leaders of the technology cyber industry to step up, after all isn’t solving problems the very definition of technology?
Page 6 says: “of all the data breaches our forensics team has investigated over the last 10 years, not a single organization was PCI DSS compliant at the time of the breach” -There is a reason why we saw so many payment breaches in 2014 PCI:
The reality is hackers are nimble and unregulated while the regulating bodies are slow and extremely regulated. What is left? TECHNOLOGY. The solution needs to be defined, designed, developed and deployed. There’s an absolute and unequivocal relationship. PCI-DSS calls out “Best-Practice” techniques in protecting critical information; with a wide-array of controls for Front-End, Middle-Tier, and Backend platforms. While the PCI framework is not the cure for all breaches, it was created as a Launchpad to 1) Setup an intermediate technical roadmap, 2) Create and energize a forum aligning Customers, Businesses, and Technology, 3) Promote “checks and balances” for each responsible party, fair to their level of activity.
The challenge now is for technology and its leaders to develop products and solutions that exceed “minimum” requirements/standards in order to be ahead of and defeat the hacker.
For more articles by CEO Richard Blech, visit the Secure Channels Inc website here.