On Thursday 30 September 2010, the latest PCI DSS deadline kicks in, requiring all level one merchants (those processing more than six million transactions per year) to adhere to the original v1.2 guidelines or face the consequences of non-compliance. The deadline also affects level two, three and four merchants. From here forward, any smaller company suffering a breach will be automatically moved up to level one status, resulting in additional policies, procedures and higher costs.
With this latest deadline looming – and the penalties for non-compliance more costly and onerous than ever – merchants are currently focused on achieving compliance. However, organisations should be warned against taking quick fix measures in order to meet the impending deadline.
Many merchants are falling into the trap of viewing PCI DSS as a list of requirements that simply need to be ticked off a list within a specific timeframe. However, compliance is not a one-time only requirement, instead organisations should approach it as an ongoing process that requires the automation and optimisation of increasingly complex IT and data operations.
Merchants are all too often treating PCI compliance as the responsibility of a single business division, without considering how the measures it prescribes can improve operational efficiency across all areas of the organisation.
Many merchants are taking a siloed approach to PCI DSS, thinking about how it impacts card transaction procedures, rather than viewing it as a set of best practices that can actually improve the performance of the entire business. While such ‘kneejerk’ responses to PCI mandates may seem relatively cheap to implement, in reality they are a false economy. Instead, it makes sense to deploy monitoring solutions that can add value in as many areas as possible, after all, there is a significant difference between simply complying and actually doing something that benefits the business as a whole.
Automated, centralised and fully integrated log management platforms capable of providing deep insight into how IT systems are being utilised across the whole business and on an ongoing basis, should be the cornerstone of compliance strategies. Indeed, the latest UK Security Breach Investigation Report indicates that, of all the merchants suffering a cardholder data breach in 2010, none were compliant with PCI DSS requirement number 10, which states that merchants must regularly monitor access to network resources as a way of proactively spotting unusual or suspicious behaviour.
This position is endorsed by the PCI Security Standards Council, which has released a statement informing merchants that “It is not enough to validate compliance annually and not adopt security into an organisation’s ongoing business practices… Validation to the principles and practices mandated in the PCI DSS plays an integral part in an organisation’s security posture, but basic monitoring and logging cannot be set aside after a security assessment is complete.”