Are the retail industry and its customers better protected by adhering to the PCI DSS standard or is the standard useless, as some pundits are rushing to judgment?
We would be worse off without PCI. It remains an essential weapon in the war against cybercrime. We can never know how many breaches its principles and practices have thwarted. Nor can the industry risk abandoning the standard now.
The recent Neiman Marcus and Target hacks illustrate that nothing is perfect. The standard is not perfect nor are retailers’ implementations always perfect. PCI DSS addresses known issues intended to combat known threats and, to the best of anyone’s abilities, anticipated threats. Throughout the stages of its lifecycle, the standards are fixed in place for all to see and conspire against until the next iteration. It is its own target.
More likely, the hackers revealed encryption vulnerabilities yet to be accounted for. That’s what hackers do. Would widespread use of chip-and-pin credit cards instead of magnetic strip cards have averted this breach? Possibly so, at least for a while. U.S. card issuers and retailers may have to make the massive technology investments in chip-based cards that much of the world already use.
For any shortcomings it may have, the PCI-DSS standard is another battlement in the war against cybercrime, an industry united front. Adhering to its best practices and auditing requirements encourages organizational discipline and vigilance.
As an advocate for and a practitioner of PCI compliance best-practices (as well as of the many other compliance requirements our customers must adhere to) in cloud implementations, we experience the benefits first hand every day. The process and the commitment make us a more effective partner across all aspects of our business.