Security isn’t just about meeting standards, as this past year’s string of data breaches has shown. The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards created to ensure that all companies maintain certain standards to keep the credit card information in a secured environment. This includes any company that accepts, processes, stores or transmits credit card information. But in data security there is never a full, fail-safe mechanism that always work if certain checklists are maintained. In other words the PCI compliance is just the minimum that companies should do. The best way to ensure security is to constantly evolve. New threats Compliance with security standards can potentially create a dangerous illusion of false security. PCI Security Standards Council in its report titled “Skimming Prevention: Best Practices for Merchants,” discuss some of the common targets, including data capture via malware or software, that have been redesigned to bypass standard security barriers. They conclude that raising awareness about these threats among service providers is absolutely essential that needs to be done in addition to ensuring compliance with the PCI standards. Security beyond standards Encryption is another important component in data protection but, again, this should be the bare minimum, not granted as adequate. Enterprises should also understand the origin of data and give confirmation of the fact that it is not changed. May be some day authentication and honest advocacy through digital signing would be something of great importance if it ever gets accepted by the PCI councils. For example, say a customer has been guided beyond PCI by instituting unique data steps. This customer had an issue with runaway encryption where employees are encrypting data with keys that have no other corresponding ones to unlock information. Even with this runaway encryptions, this same customer satisfied PCI compliance for the way it shared credit card information. Later it came to know how important it was to maintain authentication and non-repudiation after it was burned by one rogue employee.
Layers of Security
Securing information is not easy. One single fallout from a breach can actually end the entire career of companies. Security investments are often compared with insurances. Whether or not that’s true the entire game is changing and lots of challenges popping up that needs new solutions.
What security isn’t about
There is nothing to achieve by overlooking the plans put forth by the PCI Council. Without the council’s hard work to push for a degree of unchanging protection, an industry that reaches into every business would find itself in much worse shape. Now it is high time to stop taking security as a child’s game and do the necessary work to stop dangerous breaches. As the breaches are increasing and expanding in speed, it’s important to make the security of information even stronger. For that, a better standard from PCI and other standards bodies is needed to lay out essentials to companies that are unreasonably expected to be security pros when they are, at heart, fantastic bankers, lenders, retailers, manufacturers, etc. Therefore, PCI could push for pen testing for highlighting security holes to help members find frequently emerging issues. For businesses aspiring to flourish, it’s time to realize that compliance keeps you safe from the auditor — but not from all others who are actually threatening your customers.