Nowadays, merchants are spending too much time adhering to compliance checklists and ignoring the whole point of the Payment Card Industry's Data Security Standard, which is to protect payment card and personal data. Merchants have a misconception about what compliance means, inaccurately substituting the term secure for compliant. There is one thing that compliance doesn't mean, and that is that payment card data is safe if retailers adhere to PCI DSS.
The misunderstanding of PCI DSS and compliance in general runs deep in the retail and sales sector. Businesses are focusing too hard on checking off boxes without thinking about the meaning behind doing so. The result is that myths spread across the sector, and merchants are actually always at risk of losing payment card data.
Let's take a look at four compliance myths and dispel them in an attempt to improve this industry's data security.
1. Malware doesn't care about compliance
PCI DSS compliance is certainly a great standard, and many of the newer regulations – such as the removal of SSL – suggest that the Security Standards Council is well aware of the current threat landscape. However, malware continues to cause problems for retailers around the world, even when they adhere to PCI DSS.
"POS malware isn't going to disappear because a retailer is compliant."
Information Age reported on numerous forms of malware, all of which specifically target point-of-sale systems in an attempt to steal payment card data from devices' RAM, SAP environments and corporate networks. The source highlighted Backoff, sometimes known as ROM, since this malicious program has infected over 1,000 businesses, including Dairy Queen. Backoff is hard to detect and eradicate, so even if a retailer is compliant, this malware could be living on their systems.
Simply put, POS malware isn't going to disappear because a retailer is compliant. Rather, there are dozens of malicious programs, with a large portion of them infiltrating through PCI DSS compliance cracks.
2. Compliance is about tech
If merchants secure their hardware in adherence with PCI DSS, they will be safe from risk, correct? Not really. There will always be a human factor to account for, as phishing is one of the most common attack vectors. In this sense, compliance doesn't protect a retailer from the biggest threats.
Instead of focusing so much on locking down data, merchants need to bake compliance into their business plans. Strategies should include more than just tokenization and securing SAP environments. This means ensuring that staff members are changing their passwords frequently, avoiding sketchy websites and emails, and deleting user accounts when employees leave the company.
Retailers also need to lock down processes. For example, how does data get from point A to point B securely? This might require an extra system or solution such as integrated payment processing software, but every merchant's needs will fluctuate based on the tools and devices they use to complete transactions. The bottom line is that data should remain tokenized or encrypted at all times, and processes should be made less complex to create fewer holes in compliance.
3. Maintaining compliance is costly
Many retailers believe that the cost of compliance is reason to avoid it. However, non-compliance can be more expensive than going above and beyond simple payment card data protection methods. Simply put, merchants need to invest, and now is not the time to think twice about compliance investments.
"For any regulated firm to thrive or at least survive into the medium- and longer-term, consistent investment needs to be made in the risk, compliance and control functions," says Phil Cotter, managing director of risk at Thomson Reuters.
Cotter went on to explain that it is "vital" for businesses to support compliance. No matter how expensive adhering to PCI DSS gets, this is one of the "best investments for a firm and its senior managers," a Thompson Reuters report read. Maintaining compliance might seem expensive upfront, but in the long-term, many retailers will be glad that they've locked down their payment processing environments.
4. Retailers don't need to worry about anyone else's compliance
Even if a retailer exceeds the minimums of PCI DSS, it is still at risk of compromise thanks to third-party partners. In August 2014, the PCI SSC reported that outside sources are introducing security vulnerability into systems – compliant or not – and often these lead to data theft. The source cited a Ponemon Institute study in which third-party vendors were blamed for not securing networks as tightly as their merchant partners. This should cause merchants to rethink their compliance standards, as going beyond the requirements could go a long way toward preventing a third-party breach.
With the right tools and strategy, any merchant can protect their SAP environments. However, they must first go through the four myths listed above and ensure that their business doesn't believe those misinformed opinions.