A breach of trust
FYI, this story is more than a year old
Use of IT lowers cost of non-compliance to PCI DSS.
With the evolution towards a cashless society continuing to gain pace, every organisation from insurance to financial services, hospitality to retail is becoming completely reliant upon credit and debit cards. As a result, there is growing awareness of the importance of compliance to the Payment Card Industry (PCI) Data Security Standard (DSS).
Businesses with systems that do not comply with PCI DSS could face monetary penalties as high as $682,000 per incident. A worst-case scenario could even include the suspension or revocation of a company’s right to accept or process credit card transactions.
However, these penalties are far less concerning than the possibility of a data breach. When a company suffers from unauthorised access to customer card information, the results can be disastrous. Not only can a breach negatively impact brand perception, but it can also cause irreparable damage to customer confidence.
There are too many examples of companies that have suffered directly as a result of unsecure data.
Most recently, Radisson Hotel and Resorts, the international hotel chain, experienced a serious data breach which compromised sensitive customer data, including credit card information. The company is now looking to “implement additional security measures designed to prevent a recurrence of such an attack”.
All businesses that perform or process credit card transactions need to have PCI DSS on their immediate radars. Visa is becoming more stringent about companies adhering to this standard, and an initial ‘warning’ deadline for compliance passed on September 30, 2009. The standard is designed to ensure companies protect sensitive cardholder account data from theft and fraud. In other words, the standard helps companies avoid costly data breaches.
Many companies are spending months to painstakingly collect and collate key audit trail information to demonstrate that they are following the right processes outlined in the PCI DSS – time and resources that few can afford in the current economic and regulatory climate.
The problem is that system changes can very quickly take an organisation out of its compliant state and create security vulnerabilities. Without continuous system monitoring, it is impossible for an organisation to keep track of its compliance status between audits.
So, how can organisations manage this key compliance requirement without needing excessive resources or facing continual fear of slipping out of the compliant state as a result of system change?
Using IT to simplify the PCI DSS compliance process There are IT tools available today which make it easy for businesses to assess, audit, assure and automate the processes involved in achieving compliance. Automation has to be introduced into the process to drive down both cost and risk. It is only by creating a continuous compliance process which leverages real-time monitoring that any organisation will be able to effectively achieve compliance in the long term.
Validating compliance can be fundamentally simplified, first by assessing the current infrastructure stack’s level of compliance to the elements of the PCI DSS. This assessment will either confirm compliance or provide a gap analysis highlighting current areas of potential risk, enabling organisations to effectively allocate resources.
Once these issues have been addressed to achieve a known and trusted compliant state, the organisation can put in place automated system infrastructure monitoring with change auditing (across both physical and virtual environments) to ensure compliance is sustained. Changes are assessed, both against those logged in the change management database and the compliance requirements, and IT staff are immediately alerted to any unauthorised changes.
This not only raises an alert if the organisation slips out of compliance, but also ensures that potential security weaknesses are flagged before customer data is compromised. By provisioning an audit trail of every system event, from unauthorised access attempts onwards, companies can easily prove their compliance during audits and lessen the amount of preparation and resources involved. Organisations cannot afford to be intermittently compliant; the risks of breaches are too great and the costs of manual audits too high.
A serious threat
Data breaches are a real and serious threat to companies with unsecure data. However, continuous compliance with policies such as the PCI DSS can help companies protect their sensitive card holder information. Without automation through continuous monitoring and reporting, the compliance process is both resource-intensive and potentially valueless. Failure to continually monitor for non-compliance will add cost, resources and, critically, significant business risk.