• United States




The dangers of cramming for your PCI test

Sep 08, 20155 mins

Achieving meaningful PCI compliance, and real security

I am currently working with a tier 1 PCI company, assisting it with various compliance tasks. As part of the project, I am simultaneously preparing it for its annual PCI audit, responding to audits by other organizations for which the company is a key third party, and reviewing organizations that are its key third parties. It seems that with the focus on PCI compliance these days, everyone is auditing everyone else. Despite this, we don’t seem to be reducing the number of credit card breaches, or actually making organizations more secure. 

According to the Verizon 2015 PCI Compliance Report, the number of security incidents is still growing, and at a significant rate –- 66% per year. The same report demonstrates that despite all of the PCI audits happening, most companies are still missing the mark, with 80% failing their interim assessments. Verizon concludes from this that organizations “failed to sustain the security controls they put in place.” 

I would characterize the interim assessment failures a bit more bluntly –- organizations “cram” to pass their annual assessment, and return to business as usual the day after the audit ends. This is the point at which compliance and security diverge. Being compliant does not make one secure, despite passing an annual assessment. Many tier 1 companies, such as my customer mentioned above, get this, but many others, including some top card processors, don’t seem to understand. 

This “check it off and forget it” approach to compliance can be worse than never being compliant in the first place, because it can lead to a false sense of security. As the Verizon report puts it “data breaches are rarely ‘smash and grab’ affairs.” Hackers going after a major company are usually in it for the long haul. So, the company passes its annual certification, at which point, company management, reassured by the audit results, moves on to other things. Procedures gets lax again, and the hackers are there waiting for an opening. 

Speaking about real versus perceived security, the stakes are high, with card fraud losses closing in on $50 billion annually in 2013. In its research, Verizon found that of consumers who suffered data loss as a result of a breach, 69% were less likely to do additional transactions with the company losing their data. Also of concern to organizations subject to PCI is that court precedent on card breaches is shifting financial responsibility from the banks, where it has traditionally resided, to the company responsible for the breach. As an example, a recent federal court ruling on the Target card breach found that banks could seek to recover their losses from Target. 

So how can you be secure and compliant without having to cram for your test? The following are some practical suggestions: 

Begin with achievable policies 

The PCI standard allows for a good bit of discretion on how policies are formulated, as long as each objective is achieved. Resist the temptation to write an elaborate policy that you will never be able to follow. Instead, your policy should match the specific needs and abilities of your company. Find as simple an approach as you can come up with, and follow it. For example, I could write a 20-page, comprehensive incident response policy and procedure, or I could create one that was simple and effective at only two pages. The extra 18 pages do not necessarily make it better for you.

Keep notes 

If at any point you are subject to an outside audit, it will be critical for you to demonstrate that you are following your achievable policies (in the compliance world, we call this evidence). The best way to show this is to make notes as you complete each policy task, and retain the notes — for at least six years.

Automate where practical 

I am not a fan of trying to throw money at security, but there are affordable automation solutions that can help to lighten your load, with plenty of bang for your buck. I would include in this category such tools as log consolidation and analysis, web vulnerability monitoring, and intrusion prevention.

Major on the majors 

PCI is a broad standard, but there are elements that are particularly important. These include an annual risk assessment, restriction of access to cardholder data (CHD) to those with a need to know, a designated security officer that is really on top of things, incident management, and protection/encryption of CHD. I am not suggesting that you can ignore the others, but your effort should begin with the critical areas.

Have someone in charge 

There needs to be someone in charge of making sure your policies and procedures are being carried out on a daily basis. In a perfect world, this would be a full-time employee with nothing else to distract them. The world is less than perfect, however, so a compromise may be required. It is OK to compromise on how you allocate personnel time for this, but not OK to compromise allocating it in the first place.  

Bottom line: Pursue compliance that accompanies real security, and that continues well after your assessment is complete. Your business, and the integrity of my credit card number, depend on it.


Robert C. Covington, the "Go To Guy" for small and medium business security and compliance, is the founder and president of Mr. Covington has B.S. in Computer Science from the University of Miami, with over 30 years of experience in the technology sector, much of it at the senior management level. His functional experience includes major technology implementations, small and large-scale telecom implementation and support, and operations management, with emphasis on high-volume, mission critical environments. His expertise includes compliance, risk management, disaster recovery, information security and IT governance.

Mr. Covington began his Atlanta career with Digital Communications Associates (DCA), a large hardware/software manufacturer, in 1984. He worked at DCA for over 10 years, rising to the position of Director of MIS Operations. He managed the operation of a large 24x7 production data center, as well as the company’s product development data center and centralized test lab.

Mr. Covington also served as the Director of Information Technology for Innotrac, which was at the time one of the fastest growing companies in Atlanta, specializing in product fulfillment. Mr. Covington managed the IT function during a period when it grew from 5 employees to 55, and oversaw a complete replacement of the company’s systems, and the implementation of a world-class call center operation in less than 60 days.

Later, Mr. Covington was the Vice President of Information Systems for Teletrack, a national credit bureau, where he was responsible for information systems and operations, managing the replacement of the company’s complete software and database platform, and the addition of a redundant data center. Under Mr. Covington, the systems and related operations achieved SAS 70 Type II status, and received a high audit rating from the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency.

Mr. Covington also served as Director of Information Technology at PowerPlan, a software company providing software for asset-intensive industries such as utilities and mining concerns, and integrating with ERP systems including SAP, Oracle Financials, and Lawson. During his tenure, he redesigned PowerPlan's IT infrastructure using a local/cloud hybrid model, implemented IT governance based on ITIT and COBIT, and managed the development of a new corporate headquarters.

Most recently, Mr. Covington, concerned about the growing risks facing small and medium business, and their lack of access to an experienced CIO, formed togoCIO, an organization focused on providing simple and affordable risk management and information security services.

Mr. Covington currently serves on the board of Act Together Ministries, a non-profit organization focused on helping disadvantaged children, and helping to strengthen families. He also leads technical ministries at ChristChurch Presbyterian. In his spare time, he enjoys hiking and biking.

The opinions expressed in this blog are those of Robert C. Covington and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author