Or, all one needs to do is look at the headlines. In January, Anthem Inc., the nation’s second-largest health insurer, discovered a breach that reportedly affected the health records of 78.8 million people. Just this past week, Premera Blue Cross, a major provider of health care services in the West, announced that an intrusion into its networks may have compromised the financial and medical records of 11 million customers. The breaches are more evidence that health records are now considered more valuable than credit card information.
[Health records are the new credit cards ]
Everybody in the business agrees that security is important and worth time, effort and money. But there is disagreement over the expectation that complete compliance 100 percent of the time is even possible.
“There’s always a time when you are out of compliance to some degree,” Mogull said. “That’s how the PCI Security Standards Council gets away with saying (expletive) like, ‘no PCI compliant organization has ever been breached.’ Yes, they really say that – they revoke certification after every breach.”
Alphonse Pascual, director, fraud and security at Javelin Strategy & Research, is somewhat sympathetic to merchants as well. “Merchants are pushing back on the notion that PCI DSS is a fair standard,” he said. “Instead it is being portrayed as a Band-Aid for an inherently insecure method of payment which merchants are being unfairly asked to subsidize, while at the same time having to pay for the privilege of accepting card payments.”
Conroy said that as technologies such as tokenization and point-to-point encryption become more pervasive, “the burden on merchants will decrease, but unfortunately we’re still in early stages there.”
Meanwhile, 100 percent of the time may be out of reach. But Chuvakin and others say it is possible to get much closer. One way to move in that direction is to reduce the “scope” of what is covered by compliance regulations.
“If you have 10,000 systems, do you think all of them legitimately have to handle regulated data?” he asked. “Probably not, so reduce the scope, build walls around it, then implement compliance controls inside that ‘walled garden.’”
Or, as the Verizon report put it, “if you store less cardholder data in fewer places, it reduces the opportunities for breaches to occur and limits the damage that a breach can cause.”
A way for smaller PCI organizations to reduce their scope, according to Dennis Devlin, CISO and senior vice president of Privacy Practice at SAVANTURE, is to, “use virtual terminals and not store any credit card information locally. If you can't run in the tall grass with the big dogs, stay on the porch,” he said.
Technology can help as well, according to Isaacs, whose firm has developed a knowledgebase tool to navigate the maze of regulations to help organizations know exactly which ones apply to them.
And once organizations know what applies to them, experts say technology can also help them maintain compliance. Reuven Harrison, CTO and cofounder of Tufin, insists that it can be done, “by embedding automated compliance checks and documentation into IT change processes.”
Devlin agreed. “Policies need to be monitored 7x24x365 via automated business rules that can detect anomalies and deviations from normal, correlate the events, and provide actionable intelligence and guidance,” he said.
Stephen Orfei, general manager of the PCI SSC, didn’t offer any views of technology solutions for compliance, but said, “the bottom line is no technology or tool can replace the need for vigilance in security activities.”
Pascual agrees with that mandate. “It (compliance) is not a once a year affair,” he said. “It needs to be baked in throughout the business. If you’re not doing that, you won’t be compliant and eventually you’ll pay the price.”