Regulatory Requirements And PCI Standards

Attacks on the all facets of business emphasizes the importance of cyber security to all businesses. It is an important reminder that many businesses see the threat of cybercrime as too remote to be worth the high cost and effort. Restaurants and retail outlets are particularly vulnerable, because their point-of-sales systems are usually connected to the Internet.  Small businesses that execute transactions online also expose merchant transaction to would-be attackers. The variety and scope of strategies that are available to cyber criminals are too great. These strategies include website compromise, email/spamming, social engineering, and viruses obtained from social networking sites. The typical anti-malware programs and a few personal identification numbers are no longer effective protections for small businesses against cybercrime.

In most facets of business, a large percentage of financial transactions occur electronically either by credit card or debit cards. Since these types of transactions provide an inherit security risk, the need to define acceptable standards were established. Many businesses fail to follow Payment Card Industry Standards (PCI). Many business owners could avoid intrusions if they make sure that their point-of-sales software was up to these standards. PCI standards include a variety of measures that are particularly relevant for business owners, but which are often overlooked. These security measures include employee security awareness training, policies and procedures, transaction security measures (such as encryption standards and PIN codes), and frequent vulnerability scans. According to PCI Security Standards, most network invasions of a small business database take place in businesses that fail to meet PCI standards. The Payment Card Industry Data Security Standards (PCI DSS) outlines requirements to enforce proper measures in terms of processing, storing, and transmitting data in a secure mechanism. PCI DSS provides a purpose, however, many believe this regulation is nothing more than a hurdle to the true problem of security and because of the controversy the PCI Standards Council has begun addressing a number of updates. The proposed changes begin to tackle the use of technology to determine vulnerabilities as well as secure coding fundamentals early in the Software Development Life Cycle (SDLC). While PCI DSS addresses the issue of security, it does not remove the responsibility a business has, in fact, Bob Russo of the PCI Security Standards Council stated:

Ultimately, it is the merchant’s responsibility to make sure that they have the right contracts in place, and make certain that their providers are working in a compliant manner.

Still business and industry experts are speaking out saying that PCI DSS often is to slow to adapt with the constant change of technology. For example, in 2006, TJX Companies fell victim to a breached via wireless technology and the PCI Security Council did not produce guidance in this area until mid-2009.

In the context of achieving PCI DSS, comes the task of additional components of security that are applicable at all levels of business. While regulations provide the direction as to expectation, they do not address how to achieve compliance. Because of this, a business must define internal processes that will ensure compliance by accounting for training, policy, communications, and planning. Therefore, many argue that regulations lead to conflict within the day-to-day operations of Information Technology (IT) in the aspect of true security. While many would like a solution that clearly defines expected behaviors and outcomes this is not realistic. Every business must define processes, which work best in their given circumstances.

While many companies may feel like regulations place an undue burden upon them, the reality often is security breaches typically decrease. It is a proven fact that businesses that adopt PCI DSS and takes on the challenges are much more secure than those who do not. To support this assertion, a recent 2011 PCI DSS Compliance Trends Study depicts the value of organizations that adopt PCI DSS.

What is probably most alarming is the fact that the businesses that suffered one or less breaches were non-compliant. Could it be true that PCI DSS is nothing more than a hindrance? To answer this question it is important to note that those businesses who suffered two breaches or more; breaches increased over those business that were compliant. The lesson to take away here is that regulations were never intended to be the final solution but rather they are intended to provide assistance and direction.