How do you avoid becoming the Next Big Retail Breach Target? There are plenty of points — and counterpoints — on the topic. As a cybersecurity professional who has specialized in compliance with the Payment Card Industry (PCI) Data Security Standard for more than a decade, I have a great deal of thoughts to share. So consider this the first of a five-part blog in which I’ll lend my perspective about the state of systems protection in the retail industry — and how to safeguard your business.
In all that I’ve read, there’s too much emphasis on whether a breached retailer was certified as PCI compliant. Is this important? Of course, it is. But a “yes/no” reading on certification fails to address a general attitude of merchants toward the whole PCI process. I have been a Qualified Security Assessor (QSA) since the inception of the PCI standard and I can tell you that, too often, the attitude of my customers conveyed a sense of “Let’s get this over with …” or “The audit of the month is wasting my time …” or even “Just tell me what I need to do to pass.”
There are exceptions. But I’ve worked with too many companies which don’t really embrace the impact that successful PCI security standard implementation can make with regard to their overall security posture – not simply for the protection of credit card data, but for the protection of their entire enterprise. This notion is frequently lost on merchants because they spend an inordinate amount of time attempting to “limit the scope of the assessment.” This typically meant, “If you don’t have to look at a set of systems, then I don’t have to secure them …” Most of us would agree that this is the wrong approach.