Tuesday, July 21, 2009

PCI Compliance No Guarantee

Posted by Mark Brousseau

PCI-compliant companies aren't immune from data breaches.

A new report from Javelin Strategy & Research (www.javelinstrategy.com) looks at the top reasons payment card breaches that have occurred despite compliance measures.

“The PCI Data Security Standard has raised the high water mark for security,” said Mary Monahan, Managing Partner & Research Director, Javelin Strategy & Research. “But there’s a persistent myth that compliance guarantees security. The reality is that PCI compliance is only a baseline. It needs to be monitored constantly as the threat landscape changes.”

Javelin Strategy & Research says the top three breach vulnerabilities of PCI-compliant companies occur because of poor tracking and monitoring, insecure Web applications, and inadequate protection of stored cardholder data. At PCI-certified companies that are breached, many compliance requirements are often found to be out-of-compliance, the firm notes.

“The notion that certified PCI-compliant companies cannot be breached is a myth,” said Robert Vamosi, Research Analyst, Risk, Fraud, and Security, Javelin Strategy & Research. “Our research has found that qualified security assessors can mishandle the PCI certification process or businesses may be compliant during the audit, but not follow-through later. In addition, compliance improves security, but it does not prevent breaches. Merchants, the PCI Council and issuers must continue to work together to resolve reoccurring complaints and speak with one voice against the common threats of loss and fraud.”

What do you think? Post your comments below.

1 comment:

pci compliance said...

This information is very helpful. It really helps me understand more about PCI. Keep posting. Will certainly try doing that myself. Your post/article really helped. Thanks a lot.