Skip to content ↓ | Skip to navigation ↓

I continue to hear comments that PCI DSS doesn’t work and that it should be modified or even eliminated. My favorite recent criticism was from Rep. Yvette Clarke (D-N.Y.) when she saidthe standard by itself is simply not enough to protect cardholder dataI do want to dispel the myth once and for all that PCI compliance is enough to keep a company secure.” I find it interesting that so much fault can be leveled at PCI DSS in light of the facts that Verizon Business puts forth in their 2009 Data Breach Investigations Report. Here are some of their findings after investigating data breaches that compromised 285 million records in 2008 alone:

· Payment Card Data was the target in 81% of the breaches (98% of the records were Payment Card Data)
· 74% of breaches were caused by external sources
· 75% of the breaches were from 3 industries: 31% Retail; 30% Financial Services ; 14% Food Service
· Point of breach entry to actual compromise: 27% in minutes; 21% in hours; 29% in days
· Compromise to discovery: 16% in days; 25% in weeks; 49% in months
· Discovery to containment: 37% in days; 42% in weeks; 15% in months
· 81% of the victims were not PCI compliant

The last point—81% of the victims were not PCI compliant—speaks volumes about the spirit, intent and effectiveness of PCI DSS …. if it is treated as security best practice and followed on a daily basis rather than treating it as a checklist that must be passed annually. Until each of the above percentages changes dramatically, I think PCI DSS should be seen as a good security best practice to follow continuously.