There is no end in sight, and there never will be—not when it comes to securing payment transactions and consumer data. Regulatory agencies and emerging technologies attempt to make breaches more difficult, but the higher the bar is raised, the higher tech-savvy hackers learn to jump.
Were any of us completely surprised to learn that a PCI-compliant retailer was breached? Not really. In fact, most industry analysts and security professionals would say it was just a matter of time—and given the speed of emergent technologies, there’s been a lot of time since the payment card industry (PCI) data security standard (DSS) was last updated on Dec. 31, 2006.
The 12 requirements outlined in the PCI DSS are a great starting point, but that would be all. Putting a dead bolt on your doors and installing a home-security system are logical precautionary measures, but a stealthy, sophisticated criminal could still find a point of entry. The same holds true for your secured networks and payment systems.
Certainly that was one of the lessons Hannaford Bros., Scarborough, Maine, learned when more than 4.2 million debit and credit accounts were breached through the PCI-compliant Hannaford network. Within days, Advance Auto Parts, Roanoke, Va., and Okemo Mountain Resort, Ludlow, Vt., had also reported breaches.
Ben Edwards, a systems consultant with Peak Technologies, Columbia, Md., agreed that PCI compliance is the best first step, but cautioned, “There is no such thing as a totally hacker-proof system and anyone who implemented the minimum security to be compliant with PCI DSS regulations is quite vulnerable today because technology moves so quickly.”
Among his suggestions: Maintain constant vigilance, have multiple layers of security, and stay up-to-date on the latest safeguards, which likely means going beyond the rules of regulatory compliance.
For instance, wireless networks, potentially an Achilles’ heel for virtually every retailer, are much more prevalent now than in 2006 when the PCI DSS regulations were last updated.
However, most retailers believe they have taken all the necessary precautions if they are PCI-compliant. When retailers describe secure payment systems, the first thing they tell me is that they are PCI-compliant; the second thing is that the data is encrypted.
Trusting encryption to be your silver bullet against hackers is probab