In recent weeks there have been a number of data breach stories here in the UK and in North America. UK travel insurance provider Staysure revealed that around 93,000 customers may be affected after sensitive bank card details were thought to have been stolen as a result of an IT security breach.
At the end of January the US arts and crafts retailer Michaels revealed it was the latest retailer to investigate a possible credit card leak. Other breaches occurred at Neiman Marcus and Target where it is thought that personal data for as many as 110 million customers was leaked.
The IT Governance website claims it is clear that in Staysure’s case the organisation was not PCI DSS compliant at the time of the breach because PCI DSS does not allow sensitive authentication data to be stored post authorisation. A key issue to bear in mind is that PCI DSS compliance only requires a single compliance assessment each year.
The assessment merely represents a snapshot in time, a valid judgment made at a single point during a twelve month period and not a guarantee of compliance the following day. There is plenty of evidence to show that many data breaches occur sometime after a successful PCI DSS audit.
Unfortunately many compliance solutions on the market today are expensive, take a long time to implement and require organisations to completely overhaul their in-house processes. For this reason many organisations are making do with home-grown systems based on spreadsheets to manage compliance programmes such as PCI DSS.
Yet a spreadsheet-based approach has many shortcomings including a lack of central visibility or control over the compliance process, burdening skilled compliance and risk personnel with manual process administration and insufficient insight into trends and anomalies to support business decisions.
In many cases it’s all about the pursuit of compliance for compliance’s sake instead of focusing on making security the first priority. Data breaches such as those mentioned above highlight that organisations in the 21st century need something better than spreadsheets for managing their security processes.
I advocate a continuous approach to information security where the primary focus is to improve the security of an organisation’s infrastructure and applications, rather than a “tick box” compliance exercise. A continuous approach to compliance puts controls at the centre of the compliance programme, rather than an annual audit, where control activity is performed and monitored throughout the calendar year.
This approach provides real-time visibility of the organisation’s compliance status – the net effect being more merchants incorporating PCI DSS compliance into their business-as-usual (BAU) practices and importantly improving the organisation’s security posture.