Why PCI compliance has become a critical issue

Oct. 29, 2019
As human reality gets safer over time, it seems more of the fight moves online

Even though people are healthier on average and living longer in the real world, the dreaded cyberattack strikes fear into the hearts of businesses and individuals alike. Whether it’s sensitive business records or personally identifiable information with a credit card number, we need to think about protecting ourselves online the way we used to think about protecting ourselves when we left the house. Informed consumers understand cybersecurity is personal security.

There are helpful frameworks in place to get businesses handling data like credit card numbers with secure confidence. Payment card industry (PCI) compliance is the specific standard these companies need to pursue. Any business collecting data online or processing credit card transactions needs to meet PCI compliance standards. PCI-compliant organizations have designed their operations to meet a certain cybersecurity threshold and can consider themselves safe from a certain number of known threats.

Beyond these benefits, PCI compliance also engenders a deeper awareness of cybersecurity topics throughout an organization.

Pursuing PCI compliance means you’re taking cybersecurity seriously, and more and more businesses are doing so in 2019. It seems like there’s news of a high-profile breach every week or two, and there are tremendous sunk costs of time and money for a business to put its wheels back on after a cyberattack. When businesses meet PCI compliance standards, their infrastructure goes a long way toward preventing such attacks from ever happening in the first place.

Here’s why PCI compliance is important to today’s cyber ecosystem.

Because the internet moves loads of data around the world, and some of it is yours: Protect all data as if it was your data!

This genie is already out of the bottle. Whether you like it or not, a deep scattered record about you lives online. It’s stored across the servers that different companies use to keep tabs on their customers. Whether they gathered it from you in person or you volunteered it to them yourself, companies have our data (and we move within their radar) by virtue of living a modern life.

We might often send our personal information far and wide across the internet without a second thought. Type in your birthday for a horoscope, for example, or your credit card number to complete an online purchase. Our personal data might often be the missing ingredient to complete an action online (the last name for the food delivery, the credit card number for the Amazon order).

Beyond simply “depending on the internet,” humans in 2019 depend on its ability to rapidly move data from one place to many others. If some of that information is your sensitive or identifiable details, then it only makes sense to have well-defined avenues and guidelines to move that data securely.

It’s important to keep in mind that there are multiple versions of our data living on other organization’s servers and cloud services. Breaches of someone else’s inferior security can still mean that your personal details are exposed.

PCI compliance is about highly informed people sharing guidelines to protect everyone’s information the same way those experts would want to protect their own.

Because cyberattacks are on the rise: Don’t let the smiley Amazon logo tease you while you wait for your Prime delivery — the internet landscape is rugged and bloodthirsty. Not only has the internet generally opened the door for new categories of crime to be committed, but there are literal pirates out there actively seeking to do harm to business infrastructure or otherwise gain access to valuable personal information.

And they’re doing it more often than ever before. In terms of frequency of cyberattack events (and the total cost they represent to victimized companies), cybercriminal business is booming. Data from Carbon Black says that cyberattacks are generally proliferating as hackers gain malicious access to or control of other people’s data.

The motive driving increased cyberattacks is rather transparent: it’s financial greed. Hackers can sell stolen data on the black market, where it can be paired with freely available personal information from the public record to become much more powerful in the aggregate.

Combinations of free resources (like phone books and Googling) with some paid resources (like a massive database stolen by a hacker) can present enough data to open valid credit cards or potentially cause deep damage to someone’s identity. But organizations that achieve PCI compliance have all the hardware and business process they need to conduct honest business on a bloodthirsty internet.

Because non-compliance fees are inefficiencies worth noticing and getting out of: PCI compliance will help you establish a feeling of organization-wide equilibrium or at least a way to identify it and get there. And productive equilibrium surely involves doing whatever it takes to end obligations to pay expensive fees that reduce business potential.

About the Author:

John Shin is the Managing Director at RSI Security and has 18 years of leadership, management and Information Technology experience. He is a Certified Information Systems Security Professional, CISM, and Project Management Professional (PMP). He is the principal author on multiple Internet privacy and security technology papers such as the Dominant Cyber Offensive Engagement and Supporting Technology and Reconnaissance & Data Exfiltration for U.S. Air Force Research Laboratory. Mr. Shin has 18 years of leadership, management and Information Technology experience. His area of expertise is IT security and technology management. He was responsible for external customer information systems as well as the global infrastructure operations at Abraxas Corporation, a risk mitigation technology company solely focused on the National Security Community. Mr. Shin also worked in several management positions for Genoptix Inc. (Nasdaq: GXDX) in IT/Bioinformatic division. During his tenure at SunGard, Mr. Shin operated as an operations engineer responsible for mission-critical Infrastructure and ISO-compliance system processes.