Thales Blog

So, You’re Compliant With PCI DSS, But Is Your Cardholder Data Really Secure?

March 1, 2010

One payments security initiative that has gained a great deal of attention in the last couple of years is PCI-DSS. But what exactly is the experience of those on the ground who are dealing with PCI-DSS compliance? Thales has recently carried out some research with The Ponemon Institute that looks into PCI DSS from the perspective of the Qualified Security Assessor (QSA) community.

Much of the responsibility for the success of the standard is in the hands of these certified auditors and the study has revealed some interesting information about the way organisations approach compliance and how they protect sensitive information.

One finding to come from this research is that while only two per cent of businesses outright fail PCI DSS compliance audits, 41 per cent would fail if unable to rely on temporary ‘compensating controls’. This means that whilst they are not complying with PCI DSS, they do pass the QSA audit as they have other mechanisms in place to do the job. Such compensating controls enable companies to tick the relevant compliance box in the short term, but raise the question of what is to happen when such temporary fixes are not viable in the future.

The finding also raises interesting questions as to how companies are approaching PCI DSS compliance. It’s easy to fall into the trap of check box syndrome: compliance for compliance’s sake. The fact that so many companies are relying on these compensating controls is causing significant concern among QSAs that many merchants are doing just that: focusing primarily on complying with PCI and less so on what should be equally important – protecting sensitive information.

Finally, the research has also found that QSAs believe the most difficult requirement for merchants to meet is restricting access to cardholder data by business need-to-know (PCI DSS Requirement #7). At the same time however, they believe this to be the most important element of compliance. After all, PCI was set up to protect cardholder data and to help bring an end to cardholder data breaches. A business may have the most advanced systems to try and lock out criminals, but if it can’t limit access to cardholder data to those who have a need to access it, then how can a system ever be considered secure?

So what do QSAs recommend to protect cardholder data? The research found that 60% of QSA’s believe encryption is the best approach, while 81% recommend or require hardware security modules (HSMs) to manage data protection.

PCI DSS compliance isn’t easy and it’s not all about any one technology or process. But in the end, those businesses that focus on protecting cardholder data will have the most success with compliance and keeping their name out of the headlines.