“We’ve been breached, millions of records are in the hands of attackers, but don’t worry – we promise to do better.”
This is a headline that has been published on a seemingly weekly basis over the last few years—multi-million and billion dollar companies publish vague press releases notifying the public of a data security breach, and guaranteeing that they will learn from this experience so that it can’t happen again.
Uber, CapitalOne, Marriott, British Airways—all caught with improper practices that compromised the sensitive information of millions of their customers. If you believed these press releases, you would think that these were abnormal events—that these companies have rigorous data protection policies in place and that bad actors managed to find a backdoor entrance. Surely in an industry like credit card payment processing, which has had rigorous data security standards for nearly two decades, the vast majority of companies that handle sensitive information would be compliant? Unfortunately, the diagram to the right tells a very different story.
Every year, a division of Verizon publishes a “Payment Security Report.” For this year's report, their team analyzed data from over 300 representative organizations in the Americas, Asia Pacific, Europe, the Middle East, and Africa. They worked with organizations that spanned several industries: finance, hospitality, retail, IT services, and more. What they found is that not only is full compliance to the Payment Card Industry Data Security Standards (PCI DSS) only hovering around 36%, but that the percentage of companies in full compliance has been trending downward since 2016. This means that despite the weekly breaches dominating the headlines, organizations that accept payment card data are actually decreasing their efforts around data security.
What Is PCI Compliance?
In December of 2004, several major credit card companies (Visa, Mastercard, AmEx, and Discover, among others) decided to merge their proprietary data protection standards into what came to be known as PCI DSS. The goal was to provide a single set of comprehensive guidelines that organizations using payment card data would have to follow, rather than have different card types requiring different protections.
- Build and Maintain a Secure Network and Systems.
- Protect Cardholder Data.
- Maintain a Vulnerability Management Program.
- Implement Strong Access Control Measures.
- Regularly Monitor and Test Networks.
- Maintain and Information Security Policy.
There are 4 levels of PCI compliance, which are based upon the number of transactions processed per year. Level 4 is the lowest, for organizations processing less than 20,000 transactions annually, while Level 1 is for those that process more than 6 million transactions annually.
What Makes PCI Compliance So Challenging?
In testimony before the House of Representatives Subcommittee on Cybersecurity in 2009, the CIO of Michael’s stores made the following statement:
“The PCI Data Security Standards are an extraordinarily complex set of requirements. They are very expensive to implement, confusing to comply with, and ultimately subjective, both in their interpretation and in their enforcement. It is often stated that there are only twelve ‘requirements’ for PCI compliance. In fact, there are over 220 sub-requirements; some of which can place an incredible burden on a retailer and many of which are subject to interpretation.”
The Verizon report suggests that as a response to these vague and subjective guidelines, companies have embraced the “checklist” attitude towards data protection—that if they follow a certain number of steps, then they are sufficiently covered. Unfortunately, this only provides a false sense of security, and is the primary reason why the vast majority of companies would not be considered PCI compliant.
3 Strategies for Improving PCI Compliance
Although these downward trends and frequent headlines seem disheartening, there are a three very clear and immediate steps your organization can take to move towards sustainable PCI compliance:
- Make use of cryptographic hardware: No matter what kind of data protection you may have in place, if you are not making use of cryptographic hardware (TPMs or HSMs) for managing your encryption keys, then you are not going to be considered PCI compliant.
- Clearly determine what data needs encrypting, and what does not: One of the primary reasons for the decline in PCI compliance is the degree to which compliance-related activities impact day-to-day operations and workflows. This inconvenience stems from organizations not properly outlining specific categories of data protection—unnecessarily carrying out daily activities as if every piece of information is sensitive. If resources are spent encrypting and protecting only the sensitive information and none of the metadata/contextual data around it, then the scope of data that needs to be protected shrinks immediately.
- Start small and build your compliance plan over time: Though the PCI DSS standards can be daunting even to billion-dollar companies, each step your organization takes towards improved data security will pay dividends down the line. Proper use of encryption and cryptographic key management can help not only with compliance, but also with avoiding ransomware and other types of attacks that are becoming more and more common.
StrongKey has been helping companies pass PCI DSS audits for over a decade. Contact us to get personalized recommendations for your organization.