As yet another series of data breaches unfolds, there’s been more focus on PCI compliance than ever before. And for good reason. Apparently the PCI Standards Council, the body that overseas PCI, thinks that too many companies are failing in their obligations.
In just the last two weeks we’ve seen major data breaches announced at firms like JP Morgan Chase, Community Health Systems (4.5 million Social Security Numbers exposed), UPS, Dairy Queen, and more than 1,000 retailers.
Just as many security experts suspect, too many companies rush to achieve PCI compliance or pass an audit, then essentially ignore those same standards in the gaps between audits. And hackers will always take advantage of those lapses.
In an effort to encourage greater compliance all the time, the Standards Council just released what it calls a Best Practices document – which is essentially a reminder of all the dos and don’ts if you want to avoid trouble – from hackers and the Council.
In a bulletin just issued, the Council made recommendations that businesses of all sizes should take to minimize the risks:
- Maintain the proper perspective: Ongoing security of cardholder data should be the driving objective behind all PCI DSS compliance activities, as opposed to achieving a passing compliance report and then subsequently letting security practices fall off.
- Emphasize security and risk, not just compliance: Build a culture of security and allow compliance to be achieved as a consequence.
- Continuously monitor security controls: Develop strategies to continuously monitor and document the implementation, effectiveness, adequacy and status of all security controls.
- Detect and respond to security control failures: Put processes in place to respond to security control failures in a timely manner.
- Develop performance metrics to measure success: Quantify the ability to sustain security practices and PCI DSS compliance by developing a set of metrics that summarize the performances of their security controls.
In releasing the guidelines, the Council suggested that “Building a culture of continuous security and vigilance is vital to meet the intent of the PCI DSS, which is safeguarding payment card data at all times.” Most important, the Council warned that while PCI compliance needs to happen 365 days a year, for too many companies it’s little more than an annual event.
Wise words that should be applied to every corner of your business. If you want to avoid the costly distraction of security breaches, and focus on the stuff that will make your business strong, then secure your perimeters.
Your best bet, your best defense by far, is a top-to-bottom culture of security. With it, you’ll thrive. Without it, you’ll be constantly fighting fires. To get started call SiteLock at 855.378.6200 for a free consultation.