Is It More Important To Be Compliant Or Secure?
By Bernadette Wilson, Integrated Solutions For Retailers
Roldophe Simonetti, managing director of compliance consulting at Verizon Enterprise Solutions, says the Verizon Enterprise Solutions 2015 PCI Report that will be released in a few weeks seeks to answer common questions businesses are asking about compliance and the security of credit card data.
Simonetti previewed the report, based on 5,000 compliance assessments in 30 countries around the world, at NRF Big Show 2015 during a panel discussion on securing mobile and retail payments, hosted by Verizon Enterprise Solutions.
“What we can see, from the compliance assessments and the forensics investigation is, in fact, from the hundreds of companies we have seen, not a single company was compliant at the time of the breach,” Simonetti says. “It’s quite an important number … 100 percent of the companies that were breached were not compliant at the time of the breach.”
Another statistic he shared linked security to security standards: “We see that most breaches, 99 percent of them in fact, are not a failure of the standards. They’re a failure of the implementation of the standard, and that’s quite important.”
In addition, the report concludes about 71 percent of companies found in compliance at the time of their assessment fail to maintain compliance throughout the year. Simonetti comments that this number shows “most companies still see compliance as a project — a project they manage for one, two, or three months a year — and they are not using compliance as a process to support security. In fact, that’s the only way to be effective.” He says asking the question, “Is it more important to be compliant or secure?” is the wrong question to ask because they are closely related.
Simonetti was joined on the panel by Greg Buzek, founder and president of IHL Group, Marianne Johnson, EVP and global head of products and innovation at Elavon, and the panel was moderated by Michele Dupre, Verizon VP of retail and hospitality.
The discussion of PCI compliance continued as Dupre invited questions from the audience. One NRF attendee asked why retailers don’t outsource the management of PCI compliance and if something holds them back from doing so.
Buzek answered that there are limitations and the guidelines for PCI compliance are numerous. “When you start to talk about outside compliance, it’s always a balance between can we be nimble? Can we be fast? I think one of the things that we see now is, when you look at IT spend, it's usually about one-and-a-half percent of revenue. But we’ve seen a major thing happen here recently, where the chief marketing officer's budget is now being used for IT spend, because we want to engage socially. We want to do things very quickly.”
He continued, “The IT budget’s a rounding error for the marketing guy, and that opens up other security issues that are there. It’s a responsiveness and an innovativeness that’s necessary for the business to function, that, I think, prevents you from just simply saying, ‘Let’s outsource all of this.’”
Another NRF attendee said the business side of retail will say PCI compliance is too hard and difficult to maintain. Furthermore, they don’t see it as being designed to support a process. The audience member asked the panel is there was something fundamentally wrong about the way PCI is structured that inhibits compliance to be more of a process.
Simonetti responded, “PCI is a toolbox and a set of controls. It’s as effective as you are good using them. PCI is enforcing a few things, but if you check carefully the PCI controls, most of them are very basic security.”
He continued, “I can understand that some of the PCI controls are seen as challenging, but most of them make sense … PCI should definitely be seen as ultimate security.”
“It’s probably one of the only efficient tools [businesses] have to manage credit card security today,” Simonetti said.
This year’s Verizon Enterprise Solutions 2015 PCI Report shows areas in which companies failed to maintain compliance, including firewalls and network security, testing security, and patching their systems. It also includes recommendations to help people improve security and how they react to security breaches.