5 Reasons Why PCI Compliance is Not Enough For Security

Once upon a time, we were only concerned about acquiring food and shelter, but modern society has added power, transportation, and amenities to those needs. The number of amenities and resources modern citizens utilize to live comfortably means we are constantly making payments to several vendors and service providers. 

Another change in modern society is using online payment mediums that allow us to make payments via an internet connection and credit card number. Unfortunately, online transactions require us to provide sensitive information to the vendor so they can process the payment. Unfortunately, this can be risky unless certain safety precautions are used to protect customer data.

Most online commerce agencies adhere to PCI regulations to protect their customers, though PCI is not legally required. The restrictions and countermeasures PCI uses make it seem like your information is safe after using a company’s services. While PCI is widespread, there are doubts about its effectiveness in protecting people’s financial data. 

PCI is simply insufficient as the sole security measure and should not be relied upon by any company or customer. We realize this might seem accusatory, but there are valid reasons confirming that PCI is ineffective as the sole security measure employed by commerce websites. That said, we realize you might want a little more information before condemning PCI as a security measure.

PCI Compliance

What is PCI?

As the name implies, the Payment Card Industry Data Security Standard (PCI DSS) is a security standard employed by several industries to protect consumer financial data. The standards that would eventually become PCI DSS originally began as a series of 5 separate security programs created by the major credit card brands:

  • Visa Inc.: Visa created the Cardholder Information Security Program.
  • MasterCard Inc.: MasterCard created Site Data Protection.
  • American Express Company: Amex created the Data Security Operating Policy.
  • Discover: Discover created Information Security and Compliance.
  • JCB Co., Ltd.: JCB created the Data Security Program.

These security standards were designed to create a protocol to protect cardholder information when processing transactions. Despite being created by different companies, each security measure ensured merchants met a minimum level of security that dictated how they stored, processed, and transmitted cardholder data. These protocols usually mean a merchant cannot maintain a catalog of sensitive customer data.

What is PCI

For a company to be PCI compliant, it must meet 12 criteria that dictate how it handles customer data. Under the current version of PCI DSS (3.2.1), the criteria are as follows:

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
  3. Protect stored cardholder data.
  4. Encrypt transmission of cardholder data over open, public networks.
  5. Protect all systems against malware and update anti-virus software.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to cardholder data on a need-to-know basis.
  8. Identify and authenticate access to cardholder data.
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to network resources and cardholder data.
  11. Regularly test security systems and processes.
  12. Maintain an information security policy that addresses information security for all personnel.

With 12 criteria designed to protect cardholder information, you might think PCI DSS compliance is sufficient for a company to protect your data. The problem is that the compliance tests and requirements are vague and unreliable since they mostly employ surface-level checks. As long as your company meets the minimum requirements of these criteria, you can retain PCI DSS compliance despite the network being vulnerable to attack. We do not expect you to take our word on that. Several reasons prove PCI DSS compliance is insufficient protection for a database.

Reason #1: It is Optional

The first reason PCI DSS certification is insufficient is simple and does not require much discussion. No federal laws mandate PCI certification for companies, meaning no company is legally required to accomplish the bare minimum in security certification.

Using a Credit Card Online

There might be exceptions by state, but ultimately, PCI certification is acquired at the company’s discretion, and smaller businesses might lack the service. Unfortunately, making PCI certification mandatory does nothing to correct the larger issues.

Reason #2: PCI DSS Does Not Cover All Bases

The biggest issue with PCI DSS is that it lulls companies and customers into a false sense of security by making it seem like the data is completely secure. However, there are examples of companies that maintained PCI DSS compliance and fell victim to cyberattacks. This is because PCI DSS requirements have remained static and require minimal checks to verify that a company is adhering to them. 

This means several fatal network security flaws could be overlooked, and sensitive information could be stolen. There was a recent issue where Target, a popular retail chain in the United States, suffered a major data breach 2 weeks after being declared PCI DSS compliant.

Cybercriminal Bypassing Security Protocols

There are multiple types of cyberattacks, and the medium cybercriminals use constantly evolves to match modern security protocols. This constant change means a security measure that was effective 2 years ago is completely ineffective since cybercriminals have learned to bypass it. The biggest problem with PCI DSS is that most companies establish security measures that satisfy the immediate requirements and call it a day. Unfortunately, this is a major problem because this mindset jeopardizes the network’s security since no one is monitoring for vulnerabilities.

Cybercriminals can exploit holes in the security system that passed PCI DSS compliance testing but have since been rendered obsolete by updated attack methods. As a result, sensitive data is stolen and exploited before the company has any idea it occurred. In layman’s terms, PCI DSS compliance tricks people into thinking they do not need a fully staffed cybersecurity department. Instead, they let their security protocols stagnate rather than adapt to new protocols and threats.

Reason #3: Compensating Controls

We mentioned before that the requirements for PCI DSS compliance are not upheld very strongly, and the checks are surface-level at best. One of the biggest reasons this is a problem is that it enables businesses to employ compensating controls for their security measures. Compensating controls is essentially a fancy term for “substitute” and refers to when a company uses one program, tool, or protocol to fill the role of another. 

Compensating controls can either make up for a system the company cannot afford or can backfire and leave the system more vulnerable to attack. There are dozens of protocols and programs available that claim to be effective at repelling cyberattacks, but not all of them live up to their alleged ability.

Employing Compensating Controls

Unfortunately, PCI DSS compliance regulations do not micromanage what protocols and programs are used in the company’s security. As long as the base function of that program meets the requirements, the company will be considered compliant and receive PCI certification. This practice means that PCI certification is willingly provided to companies using lesser security measures to circumvent certain expenses. 

The only saving grace insofar as compensating controls are concerned is that most security programs and protocols are developed enough to have a fighting chance. Unfortunately, most PCI-compliant companies do not update their protocols when the time arises and, as we mentioned earlier, let their system stagnate.

Compensating controls could theoretically be viable if the PCI DSS certification staff provided a list of acceptable alternatives to the main options. But this is not the case since the PCI board does not micromanage these details and allows companies to make this decision themselves. Furthermore, compensating controls are not the only other issue with current PCI DSS compliance regulations.

Reason #4: No Requirements for Wireless Security

Major retailers like Target, Walmart, etc., have updated their storefronts to accommodate modern communication technology. We live in an era where wireless communication and data transfers are the norm while traditional paper transactions are faltering. As part of this transition, most companies have created digital portals through which their services can be enjoyed. This has led to massive wireless networks being created to accommodate the needs of large corporations handling millions of customers. 

While wireless networks are astonishing examples of modern technology, they have more than a few weaknesses that make them susceptible to cyberattacks. Most wireless networks are secured by a team trained to monitor and defend the network through a series of cybersecurity response plans.

Wireless Network Security

However, you might have noticed that PCI DSS compliance requirements only specify that the company must monitor network access. While this is a critical step, wireless network attacks have evolved to the point that monitoring is insufficient, and a fully detailed response plan is essential to its protection. Most corporate wireless networks contain customer financial information, and the network allows that information to be transferred to the proper departments. 

Therefore, an unsecured wireless network could jeopardize the security of that information and endanger the financial security of millions. Since PCI DSS has no official requirements for securing a wireless network, a company can assume that the certification means their network cannot be breached as long as they adhere to the minimum requirements.

While PCI DSS outlines measures that dictate how a company stores cardholder information, it offers too much freedom in establishing this network. Shoring up network security is critical to protecting information, but there is one last issue with PCI DSS to consider.

Reason #5: Renewal

One of the biggest issues with PCI DSS compliance is that the renewal process only occurs every 3 years. This might seem inconsequential since 3 years is not necessarily a long time, but in the world of information technology and cybersecurity, 3 years might as well be 300. Hardware, software, and security protocols usually become obsolete within 12 months of innovation, though certain grace periods exist for more advanced tools. Nevertheless, allowing a company to remain certified for 3 years before renewal is not a good idea. Cybercriminals constantly work around the clock to penetrate existing security protocols and firewalls. Since PCI DSS compliance does not require regular checkups, there is little protocol unless the company employs cybersecurity staff.

Updating a Security System

Allowing 3 years to pass without consistently upgrading the protocols and software could leave the system vulnerable to attack. Therefore, companies relying on the bare minimum to pass PCI DSS certification requirements will likely fall victim to these attacks because their systems are under-protected. If the PCI DSS certification renewal occurred annually instead of every 3 years, this would be less of an issue since the company would at least have to update a few things before requalifying. Unfortunately, this is a minor issue with PCI DSS, and the other lax standards surrounding the qualifications are the biggest.

Technically Speaking…

PCI DSS certification is not something companies should forgo since it does provide a few important features that help secure card data. At the very least, PCI ensures a company maintains proper discretion when communicating customer information internally and processing the transaction. Unfortunately, it does nothing to secure the surrounding databases and networks from cyberattacks that might impact customer data. 

The only effective method for protecting a corporate database is to take the PCI DSS guidelines as a starting point and use it to build a cybersecurity protocol that defends the networks with extensive testing, powerful firewalls, and response plans for potential breaches. The problem is that funding a cybersecurity department is difficult when you have to finance their equipment, workspace, and fees.

A Cybersecurity Expert

We at U.S. Cybersecurity know that maintaining an effective cybersecurity team is fundamental to securing sensitive information. That is why we have dedicated ourselves to providing cybersecurity services to clients needing consistent protection. Our services include penetration testing, response planning, and every other cybersecurity countermeasure needed to preserve the integrity of your network. We are not saying you should forgo your PCI DSS certification but that our services can help ensure you exceed the minimum requirements and that breaches are a minor concern for your network. We highly encourage you to visit our website and assess our various services to see how they can help your business. We are standing by and ready to assist you at a moment’s notice.

Herman McCargo

Herman is a Microsoft Certified Security Engineer and Cybersecurity Specialist. He’s been in the technology field for over 20 years and has expertise working with the most critical technology infrastructures. He has a deep understanding of cyber risks, threat mitigation and prevention, and overseeing infrastructure.