This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Target breach aftermath: Is PCI compliance a 'tick box' exercise?

Share this article:

PCI compliance was called a 'gold standard' and 'secure baseline' at a conference in London today, but not all believe that it does enough to guard against data breaches.

Target breach aftermath: Is PCI compliance a 'tick box' exercise?
Target breach aftermath: Is PCI compliance a 'tick box' exercise?

Panellists speaking at the second SC Congress London earlier today were split on PCI compliance, which has become a hot topic of late not least considering the impact of Target's data breach late last year.

A panel compromising Dave Whitelegg, senior information security and PCI consultant at Capita, James Mckinlay, head of information security for UK&I at Wordline, and ISSA UK president Tim Holman talked through the changes in PCI compliance regulations over the years, from version 1.1 of PCI DSS through to 2.0 and now 3.0, and considered how businesses are tackling compliance and auditing.

Mckinlay was largely upbeat on the changes, saying that business awareness had grown substantially over the last eight years, a time when some companies would not be pushing PCI or even IS27001 compliance.

He applauded recent changes to PCI DSS 3.0, including incident response, monitoring and network segmentation, and said that the standard essentially acted as a ‘secure baseline' for protecting debit and credit card details.

But Whitelegg was keen to point to the Target data breach as evidence that compliance alone isn't sufficient.

Target met PCI compliance in September 2012 but the panellists noted a “few alarm bells” such as the lack of network segmentation between the card data and the rest of the corporate network, little incident response and no two-factor authentication for remote access.

With this likely have resulted in a drop-off in compliance over the course of the year, the panellists agreed that PCI must be a “continuous state of operation.” “It has to be hit all the time,” said Whitelegg.

Not that the companies – or associated third-parties as was the case in the Target breach - are entirely to blame, the panel admitted. One member of the audience quizzed Holman on whether qualified security assessors (QSAs) should be more evidence-based in their investigations, and the 2-sec CEO admitted that QSAs largely rely on trusting people to tell them the truth.

“Compliance relies on people telling the truth,” said Holman, a QSA himself. “But evidence-based audits take a hell of a lot longer for bigger vendors, and if you're not in a position to do that [companies] will go for a cheaper QSA.”

What should companies be doing to get ahead with PCI compliance? The panellists said that they must put together incident response plans, ensure data is being encrypted and treat PCI compliance as a “continuous exercise”. Mckinlay added that there would a ‘lot less problems' if security was driven top-down from the board.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud

Exclusive video webcast & Q&A sponsored by Vormetric

As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.

View the webcast here to find out more

More in News

Microsoft warns on yet another zero-day security flaw

Microsoft warns on yet another zero-day security flaw

Microsoft has warned Windows users about a zero-day security issue with malicious PowerPoint documents being emailed to recipients. The software giant is working on a patch for the problem.

Google launches FIDO-compliant 2FA USB key for Chrome and Gmail

Google launches FIDO-compliant 2FA USB key for Chrome ...

Google has souped up its two-factor authentication (2FA) login process with the launch of Security Key, a physical USB that only works after verifying the login site is truly a ...

Evolving TorrentLocker ransomware generating big money

Evolving TorrentLocker ransomware generating big money

The TorrentLocker ransomware has returned with a vengeance and is starting to bring in big money for its operators.