Another data breach involving more than 500,000 records and Network Solutions is yet another organization that claims they were PCI compliant. How can this be happening? How does an organization know if they are PCI compliant with all 12 sections of PCI Security Standards which include hundreds of processes, roles and responsibilities that people must be following and implementing on a daily basis?
Maybe what PCI really needs is a new focus and a new three letter acronym to go with all their other three letter acronyms.
If you visit the PCI Security Standards web site, you will find a whole bunch of three letter acronyms that the PCI Security Standards Council created:
PCI – Payment Card Industry
DSS – Data Security Standard
ASV – Approved Scanning Vendors
QSA – Qualified Security Assessors
SSC – Security Standards Council
PED – PIN Entry Devices
SAQ – Self Assessment Questionnaire
ROV – Report on Validation
FAQ – Frequently Asked Questions
Based on lessons learned and multiple data breaches at organizations that were PCI Compliant at the time of their incident, the PCI Security Standards Council is clearly missing a key three letter acronym.
CYA – Cover Your Ass(ets)*
*For those people offended by Cover Your Ass(ets), we recommend:
*CYA – Compliance Year Around
*CYA – Certification Year Around
Compliance/Certification Year Around delivers much better results than compliance or certification for a day or two. Managing ongoing awareness, accountability, security, confidentiality, integrity, availability and auditability on an ongoing basis requires a focus on Technology, Processes and People….not just Technology focused security and scanning efforts.