Merchants are most likely to remain compliant with the Payment Card Industry Data Security Standards and avoid data breaches if they adopt security as a lifestyle, according to a study released earlier this week by Verizon Business. Verizon Business provides audits and other PCI-related services.
When we've seen people be successful is when they integrated these security initiatives—PCI and others—into their daily, weekly, monthly activities so that maintaining their security posture is something that is done versus something that's crammed for, says Jen Mack, Verizon's director of global PCI services.
Verizon Business, a unit of New York City-based phone giant Verizon Communications Inc., based its results on PCI assessments by its Qualified Security Assessors (QSAs) in 2008 and 2009. The firm reported earlier that about a fifth of the merchants it surveyed that had suffered a data breach had been validated as PCI-compliant during the last audit before their breach (Digital Transactions News, Aug. 5).
Many merchants may believe that passing a PCI audit means they will be secure until the next annual assessment by a Qualified Security Assessor (QSA), but “basically merchants need to remain vigilant throughout the year and every year, Mack says. This needs to be looked at as a lifestyle change—this is not a project that ends after the QSA leaves or after the self-assessment is done, and then pick it up again next year three months before the compliance validation runs out.�
Verizon found that many businesses fail to maintain the security policies and procedures that the QSA certified as PCI-compliant once the audit is completed.
We're seeing basically that a lot of people rush to clean up things and then achieve that compliance certification but then the very next day, or next month, they're not keeping up with the log reviews, or they're not updating their (security) patches, etc.,” Mack says.
Some businesses also postpone implementing security changes during busy seasons, for example, retailers during the Christmas holiday shopping season, she says. By delaying security upgrades or security patches, those businesses most likely aren’t maintaining the level of compliance certified by a QSA earlier in the year.
Based on the study, Verizon compiled list of recommendations that can help retailers maintain PCI compliance and avoid possible data breaches, including:
–Build security into business practices from the beginning, rather than add on later. Organizations that follow this practice typically use fewer resources and achieve more value from their compliance activities, Verizon said.
–Align compliance and security. Compliant organizations tend to have one compliance and security-management team, or have two teams that are highly collaborative.
–Treat compliance as a continuous process, not a point-in-time event. Organizations should incorporate PCI activities into their daily business operations rather than viewing them as monthly, quarterly or yearly projects.