While compliance with PCI DSS is certainly a worthy goal for any business that processes credit card payments, meeting the DSS criteria should be the absolute minimum that a company does to protect payment card data. Unfortunately, many companies see PCI certification as their end goal. They view PCI compliance as simply being able to meet each section of the DSS. The harsh reality is that PCI certification is a “snapshot” of a company’s systems at one point in time. Maintaining compliance is an ongoing process and simply doing all that is required by the Digital Security Standards may not be enough, and really isn’t.
Think about it, how many changes occur to your systems on a daily basis? How many attacks are there against your systems everyday? How long does it take you currently to investigate and remediate changes, whether malicious of not, to your systems? How long does it take for someone to steal payment card data? How many customers do you lose each minute your server is down and not able to process card data?
Recent data breaches at companies such as Heartland Payment Systems dramatically illustrate how vulnerable companies are. If the 9th. largest payment processor in the world, a business that should have the resources to adequately secure their data, can fall prey, what about your company? The exponential rise of malicious code being introduced on a daily basis should also give you pause. The Symantec Global Internet Security Threat Report for 2008 details this quite nicely. Zero day attacks frequently slip through your networks defenses. Finding ways to stop them should be a pressing issue for anyone involved in IT security.
Being able to not only instantly detect, but also instantly respond to IT changes is going to be crucial going forward in order to secure valuable data. As IT personnel are asked to do the same amount of work (or more) with less resources, automating processes becomes even more important. Data breaches don’t always happen between 9 and 5, and if the hacker is smart, probably won’t. Who is responding to potentially malicious changes at 3 a.m.? In many cases, probably no one. If this isn’t a scary thought that should make every information security person cringe, I don’t know what will. The future of data security lies in automating processes so that changes are identified and remedied in real-time, without human intervention. The net results are that systems stay compliant and most importantly, data stays safe.
