The world of cyber-security is just as turbulent as ever. In just the past few weeks, we’ve witnessed major credit card security breaches at Target, Neiman Marcus and Michaels – three of the world’s top retailers. While the media has largely focused on how this affects consumers, there’s another discussion taking place behind the scenes, and that’s within the IT departments of almost every organization that handles credit card information.
The topic? PCI Compliance.
By definition, if a business processes credit card or debit card payments they must adhere to the regulations of the Payment Card Industry (PCI). Pretty straightforward, right? Wrong. Despite the mandate, there remains a great deal of confusion on the part of businesses (large and small) as to what PCI compliance actually entails. Fortunately, much of this misunderstanding falls into one of our four major myths of PCI Compliance. Let’s take a closer look at more than just the facts.
Myth #1: Compliance Equals Certification.
In January 2014, Ipswitch became the first to announce an official PCI-Certified, cloud-based MFT solution with its MOVEit Cloud Environment. The important word in that sentence is “certified.”
Most businesses don’t realize that there’s a difference – and a significant one – between being PCI compliant and PCI certified. It’s fairly easy to achieve PCI compliance. All that’s required is the completion of a self-assessment questionnaire. It usually takes about a half day and a pinky-swear promise.
Certification against PCI Data Security Standard (DSS) V2.0, on the other hand, is a much more comprehensive process, involving a full-scale audit by a qualified security assessor (QSA) and covering roughly 288 controls. These include detailed reviews of how software is developed; how engineers were trained; daily reviews of more than 200 different streams of audit events and a fully documented software development lifecycle. In all, it’s a process that gets allotted about a half year to complete.
It’s important to note that there is essentially no difference in the requirements of PCI certification and compliance. The difference is in who verifies them and how well-documented the evidence must be.
Essentially, it’s best to think of compliance as a claim, and certification as proof.
Myth #2: PCI Compliance is a Technical Problem.
It’s fairly common for businesses to believe that all it takes to avoid PCI-related issues is the right set of features – encryption, anti-virus protection or some other security voodoo along those lines. They see it as a purely technical matter, when in fact; it has significantly more to do with people, policies and processes.
In fact, our QSA spent considerably more time reviewing our written policies, training documents and other formal documentation than they did reviewing our code. They resorted to using automated tools for that arduous task.
This tends to come as surprise to most retail organizations, especially those who fail a PCI audit. They find that it wasn’t the result of poorly-written code, but rather the result of coding that was poorly documented. It wasn’t the fault of a programmer, but rather in the lack of materials showing how they were trained, or how the process that meets a given PCI regulation.
The lesson here: If your business wants to stay in compliance with PCI requirements, it starts with your policies and procedures. The technical aspect is not as monolithic as you may have been led to believe.
Myth #3: PCI Compliance is Forever.
Retailers would desire to look at PCI compliance the way most of us view our driver’s license: Pass the test once and you’ll never need to take it again. Of course, it doesn’t work that way. Not only are the threats evolving on a day-to-day basis (more on this in a moment) but the PCI targets themselves are being updated and amended. As such, PCI compliance should always be viewed as an on-going objective; a process of continuous improvement.
Here’s a good example: It’s not enough that PCI certified businesses must renew their certifications annually, there are also mandated scans quarterly to ensure flaws haven’t crept in. Daily operations at these companies must adjust to require audit log review on a daily basis to demonstrate the proper controls are in place.
These examples reinforce the notion that PCI compliance is not a one-and-done assignment to be crossed off a checklist. Rather, it’s a set of practices that fundamentally changes the way your business operates.
Myth #4: Enterprise Compliance is easier to manage in-house.
When we announced that the MOVEit Cloud environment became the first of its kind to be PCI certified, it caught more than a few people off guard – and for good reason. Up until then, a cloud-based file transfer solution that was also PCI certified was practically unheard of. At Ipswitch, we think it makes perfect sense.
We crafted a team to create a cloud infrastructure comprising state-of-the-art protection controls, and follow every single PCI-DSS regulation, down to the letter. The disciplines required to deliver this level of confidence as a service are sometimes difficult to replicate in an already overtasked IT department.
So, can a cloud-based managed file transfer system offer just as much security as your legacy system? Absolutely. Is it easy or cost-effective to maintain and secure your own system? Not so much.
As companies begin to understand the capabilities of the cloud – and how it can meet and exceed their enterprise-grade security requirements – secure, compliant managed file transfer becomes merely a checkbox for your auditors.
We hoped to have cleared up a few major myths surrounding PCI compliance, but as you could imagine, there are many more. What are some common myths that you’ve encountered when it comes PCI compliance? Be sure to let us know in the comment section.