Most of us have seen the headlines regarding the major credit card breaches experienced by global corporations such as Target and Home Depot; however, those incidents merely scratch the surface. For every Target or Home Depot cyberattack, there are dozens of small or local companies that have experienced data breaches as well – most of which go unnoticed by press or the public. In addition to losing revenue and customer confidence, these companies may also face severe fines for failing to maintain PCI compliance. So how can companies fortify themselves against future credit card breaches?
Credit card hacking is big business
Organized hacking groups, mainly located in Russia or its former eastern European countries, are constantly scanning the Internet for American companies with poor cyber defenses. Once they have a target, they engage the services of highly skilled individuals with superior training in mathematics and computer science to launch a sophisticated cyberattack. Most of these hackers are young people without a job and lots of time on their hands. They don’t see the direct, harmful effects that a cyberattack has on individuals and businesses. Successful hacks also feed into their perceptions that they are talented programmers. Finally, the hacking groups provide good training and easy money, so there is no reason for them to find another line of work.
Organizations lack in-house security and PCI compliance expertise
Many organizations fail to understand the difference between having a secure environment and being PCI compliant. They typically operate with limited IT resources that don’t have the necessary expertise in security and PCI compliance. This is compounded by the fact that PCI compliance guidelines are complex and difficult to decipher, even for the most experienced IT professionals.
A recent analysis of annual PCI compliance assessments on more than 500 large organizations showed that only 11.1% of enterprises maintained their compliance status between assessments. With more than 400 controls and sub-controls that must be implemented correctly as part of PCI DSS 3.0, many resource-constrained companies view PCI compliance as a one-off activity instead of year-round risk mitigation initiative.
Building a secure and compliant environment is not easy. The simple task of obtaining buy-in from the executive level may be challenging, if not impossible to achieve. Finding experienced security professionals can be and expensive. And creating a working security infrastructure, which is the foundation of a PCI compliance, can be cost prohibitive.
HOSTING Managed Compliance Services
PCI compliance is not a one-off metric that companies need to attain once every year. It has to part of a year-round risk-mitigation effort. Companies also have to adopt, monitor and maintain strong security measures, rather than considering security to be a necessary evil.
In order to help organizations effectively manage their compliance-related activities, we offer HOSTING Compliance-as-a-Service (CaaS). Developed and tested by our ITIL-certified security and compliance experts, HOSTING CaaS empowers companies to take a measurable, proactive stance in addressing PCI DSS regulations.
Join me on Thursday, March 19th, at 2:00 pm Eastern time for my webinar, The Changing Compliance Landscape. I’ll discuss the benefits and risks associated with CaaS, and offer tips for selecting the right solution for your business. Bring your questions and leave with the information you need to confidently invest in a CaaS solution. In the meantime, learn the five steps you can take to improve your organization’s PCI compliance program by reading our blog post, Surviving the Year of the Hack.