The PCI-DSS (Payment Card Industry Data Security Standard) is a set of requirements for businesses and merchants that deal with credit card information. These standards are designed to protect the customer by requiring businesses to protect sensitive cardholder data. Complying with the PCI-DSS requirements can result in changes to a business data infrastructure, including securing networks, implementing access controls, and creating a robust information security policy.

However, despite the stringent requirements, there has still been doubt about the real-world effectiveness of the PCI-DSS. The idea that PCI-DSS doesn’t make consumer credit card data much safer has been discussed ad nauseum, and not without some compelling evidence. In 2008, 4.2 million credit card numbers were stolen from the PCI-DSS compliant grocery chain Hannaford Brothers.

But isolated instances of failed PCI-DSS policies provide nothing more than anecdotal evidence of the perceived weakness of the standard. To truly examine its impact, a formal study should be done. On September 24, 2009, the Ponemon Institute released the results of such a study. This study (pdf) included survey data collected from people representing a number of different companies and businesses.

Some of the important key findings:

• Cost of PCI is, on average, 1/3 of the overall security budget
• 79% have had a data breach
• 55% of companies focus only on protecting the credit card data and not other sensitive information
• There is uncertainty as to what personell are the most accountable for PCI-DSS compliance
• Smaller companies are less compliant than larger companies (75k+ employees)

From the study, one can deduce that the standards favor larger companies, who are usually better able to conform to the requirements, due in part to larger security budgets and more resources. It is also interesting that the majority of companies surveyed (55%) expressed interest in only protecting the card holder data. This means that other consumer data (such as social security numbers, addresses, etc) could be swinging in the wind with no protection at all. It almost seems as if companies want to adhere to the PCI-DSS just enough to be compliant.

But if companies don’t have a serious vested interest in protecting their customers’ sensitive data (ALL of it), then maybe they’ve missed the point. The PCI-DSS certainly gets merchants thinking about security, but the lengths that they go to achieve this security shouldn’t stop with PCI-DSS compliance. Naturally, no set of standards is capable of covering all fronts– especially not in a landscape that changes as frequently as information security. But if companies don’t take the hint and think seriously about protecting data and securing their systems against threats, then compliance is nothing more than a glorified checklist representing an ineffective baseline for security practices.

If we think of the PCI-DSS as a panacea for cardholder data breaches, then it is indisputably ineffective. However, if we think of it as a guideline and a foundation on top of which real security measures can be built, then it may prove to be quite valuable.

This entry was posted on Friday, September 25th, 2009 at 1:36 pm by Nick Staples and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.