The problem with compliance standards is that they often give businesses a false sense of security. Companies think that if they meet compliance standards, they will be immune to whatever it is those standards cover. However, organizations need to realize that simply meeting code is doing the bare minimum to achieve safety - it does not mean they are impenetrable.
This has become woefully apparent in recent months given all the payment security and data theft issues several big-name merchants have had. After this event, the public questions them: how could this have all gone wrong? The merchant’s general first response is that it followed all industry standards, with some even presenting PCI DSS documentation to prove it to those questioning the retailer’s practices.
Looking beyond compliance
As Brad Chronister, a contributor of the TSYS Ngenuity Journal, noted, the problem often comes down to the fact that merchants only care about a successful PCI audit, which comes only once a year.
“Merchants who focus only on passing a PCI audit are missing the whole point of the exercise, which is to validate that they have all applicable security measures and processes in place to protect themselves and their customers,” explained Chronister. “The problem with a compliance-only mindset is that compliance is a view of security controls at a particular point in time. Therefore, it’s possible for the state of those security controls to change even hours after a merchant’s PCI DSS audit is complete and the Report on Compliance (RoC) is signed.”
As is the case with any risk management initiative, data security is not something that major companies can look at once a year and be done with. Instead, it is something that needs to be assessed on a regular basis as new threats arise - this allows merchants and other businesses accepting payments to react accordingly, whether it means investing in new point-of-sale solutions or taking other preventative measures.
The important thing for merchants to remember is that PCI DSS only covers some of the most common security pitfalls. Unfortunately, that will only help against a portion of fraudsters. The dedicated ones will find unique gaps and holes and use the vulnerabilities to attack merchants. They are savvy individuals, always finding new ways to attack targets and simply put, an annual PCI DSS audit just will not cut it.
More awareness at the top
Over the past few years, the sheer number of payments-related and other cyber security issues have hit a fever pitch. In fact, one report from the Ponemon Institute found that the cost of each lost or stolen record containing personal information has increased by 9 percent over the last year, with each individual incident costing companies $201. That sum adds up quickly when retailers are talking about millions of card numbers being stolen.
As such, company executives have become more aware of the issue and are becoming involved in trying to prevent it from becoming a problem. Security directly affects the bottom line, so it is a crucial issue for them to address.
Developers of point-of-sale software and hardware need to keep this in mind as they develop and manufacture their products. Retailers care about security and realize that sometimes doing the bare minimum just will not cut it - they are looking for solutions that can provide greater security for their customers. It is crucial that developers implement adequate software and choose reputable and developer-centric partners that will help merchants protect sensitive data, which has become a pivotal selling point for POS solutions among security-savvy merchants.