Another data breach involving more than 500,000 records and Network Solutions is yet another organization that claims they were PCI compliant.  How can this be happening?  How does an organization know if they are PCI compliant with all 12 sections of PCI Security Standards which include hundreds of processes, roles and responsibilities that people must be following and implementing on a daily basis?

Maybe what PCI really needs is a new focus and a new three letter acronym to go with all their other three letter acronyms. 

If you visit the PCI Security Standards web site, you will find a whole bunch of three letter acronyms that the PCI Security Standards Council created:

PCI – Payment Card Industry

DSS – Data Security Standard

ASV – Approved Scanning Vendors

QSA – Qualified Security Assessors

SSC – Security Standards Council

PED – PIN Entry Devices

SAQ – Self Assessment Questionnaire

ROV – Report on Validation

FAQ – Frequently Asked Questions

Based on lessons learned and multiple data breaches at organizations that were PCI Compliant at the time of their incident, the PCI Security Standards Council is clearly missing a key three letter acronym.

CYA – Cover Your Ass(ets)*

*For those people offended by Cover Your Ass(ets), we recommend:

*CYA – Compliance Year Around

*CYA – Certification Year Around

Compliance/Certification Year Around delivers much better results than compliance or certification for a day or two.  Managing ongoing awareness, accountability, security, confidentiality, integrity, availability and auditability on an ongoing basis requires a focus on Technology, Processes and People….not just Technology focused security and scanning efforts.