Back in 2009, payment processing company Heartland Payment Systems reported that it had fallen victim to a major security breach. Information on more than 100 million payment cards was stolen, leaving Heartland to pay over $148 million in legal settlement fees and various other remediation costs. Lexington Insurance Company and Beazley Insurance Company, who both insured Heartland, paid a collective $30 million to Heartland in the aftermath of the data breach.
Fast forward to June 2018, and the two insurance companies are filing a lawsuit against the data security firm Trustwave. Trustwave had certified Heartland to be Payment Card Industry Data Security Standard (PCI DSS, or PCI) compliant in 2007 and 2008 – the respective years during which code was installed in Heartland’s system through a SQL injection attack, followed by the installation of malware by hackers. Despite Heartland’s status as PCI compliant, neither incident had been detected.
If this shakes your confidence in your enterprise’s security, perhaps it should. Here’s what you need to know about why PCI compliance doesn’t necessarily equal security.
Compliance vs. Security
With news like this, on top of all the other stories of breaches popping up in recent years, businesses that have been certified PCI compliant might not feel as secure in their operations as they thought they were – and for good reason. It’s important to understand that compliance is not the same thing as security.
PCI compliance essentially means your business has met a standard level of security in the realm of processing credit card payments. However, this standard is usually a bare minimum that is, by design, easily attainable by most businesses, meaning it doesn’t equate to the gold standard in cyber security. Smart businesses will strive to achieve a level of security that goes beyond the requirements for PCI compliance.
Moving Past the Security Baseline
If you want to avoid following in the footsteps of data breach victims like Heartland, Target, and countless others, it’s important to develop a robust security strategy. While it’s necessary for businesses that process credit card information to adhere to universal compliance standards like PCI DSS, it’s not sufficient toward true protection of the sensitive data your company handles.
Focus your efforts on creating a security strategy that is proactive in addition to having reactive measures in place. Obvious defenses like good password hygiene, firewalls, and access controls in addition to employee education and training are a good place to start.
At Copper State Communications, we have been meeting the business technology needs of Arizona’s small and medium-sized businesses and enterprises since 1982 – including assisting companies in creating and implementing more effective cyber security strategies. If your business is PCI compliant but you’re unsure if you’re truly protected from a data breach, we’re here to help. Contact us today to get started on the path toward more effective security.