More Companies are Compliant – But are they secure?

If 2014 was considered the “Year of the Data Breaches,” then it seems to be having an effect, slowly but surely.  Headline after headline of some new intrusion, especially of high profile businesses and other organizations, created such an inescapable flurry that everyone must have taken notice, from CEOs all the way down to college interns. 

So, the recent Verizon PCI Compliance report comes as welcome news.  While the percentage of surveyed companies that were PCI-DSS compliant during an assessment last year may sound low (20%), the number was 11.1% in 2013 and 7.5% in 2012.  Of course, that is still a low number, and Verizon attributes this to organizations only being fully compliant during a certain point in time, and that staying perpetually compliant often evades most companies, leaving them vulnerable when a breach does finally arrive on their doorstep.

The report also leads to claims that organizations often go about the matter of compliance in a somewhat lackadaisical, myopic fashion, approaching compliance as a test they have to pass, rather than a continuous cycle of protecting and maintaining systems and data, as well as probing for weaknesses.  “Often an organization’s approach to PCI security is to focus on passing the annual compliance assessment,” said Stephen W. Orfei, general manager at the PCI Security Standards Council, in a statement. “Only a combination of people, process and technology, and a focus on making security a ‘business-as-usual’ practice will help thwart these constant threats.”

Of course, the recurring question that always gets thrown about is “Which is more important, security or compliance?”  Compliance does not necessarily equal security, and eSecurityPlanet cites Shift4 CEO Dave Oder on claiming that the scramble to check all the PCI boxes lulls companies into a false sense of, well, security.  And with new compliance regulations and standards always coming out, it makes the whole process that much more complicated, and it becomes easy to miss the forest for the digital trees.

Even so, it remains encouraging to see any rise in the number of fully PCI DSS-compliant companies, as it signals an increased, proactive attention to cybersecurity, which will better prepare organizations to respond, legally and technically, if a data breach does occur.