PCI compliance often ineffective in stopping data thieves

September 23rd, 2009

pci_compliance_crop300px1In concept, at least, the Payment Card Industry Data Security Standards, form a useful and necessary layer of protection, well- designed for the specific task of repelling  thieves from getting their mitts on credit- and debit- card account numbers and PINs.

Now comes the Ponemon Institute and tech security firm Imperva with results of a survey underscoring what cyber criminals — and merchants and banks know all too well — PCI is having only a limited effect.

PCI is a set of voluntary requirements established by Visa and MasterCard to help organizations protect cardholder information. Merchants and financial firms that don’t comply with PCI rules can be fined by VISA and MasterCard.

Ponemon and Imperva surveyed more than 500 companies globally that cumulatively generate annual revenues of $5.6 billion and found:

  • 71% of companies do not treat PCI compliance as a strategic initiative, yet 79% have experienced a breach.
  • 55% only focus on credit card information and do not secure Social Security numbers, driver’s license numbers, and bank account details.
  • Consumers are more at risk doing business with smaller companies: only 28% of these comply with PCI as opposed to 70% of companies with 75,000 or more employees.

Verizon’s forensics show similar pattern

verizon_reportcover300px_edited-1Imperva’s  findings fit hand-in-glove with Verizon’s 2009 Data Breach Investigations Report. LastWatchdog highly recommends anyone curious about commonalities in actual database breaches to read Verizon’s 2009 report and it’s predecessor, the 2008 Data Breach Investigations Report.

Verizon closely examined patterns in more than 590 data breach cases from 2004 through 2008, in which 515 million records — mostly payment card data — were ripped off. In each of these cases, Verizon was hired to do a CSI-like forensic probe. It’s crack investigators found, among other things, that 81% of the companies breached in 2008 did not comply with PCI.

TJX, parent company of TJ Maxx and Marshalls, was famously not in compliance with PCI rules in 2007, when hackers extracted some 94 million cardholder records over the course of approximately eight months, then a record.

But Hannaford Brothers grocery store chain was in compliance when it lost 4.2 million cardholder  records. So, too, was Heartland Payment Systems when it ignominiously broke TJX’s record, losing 130 million payment card records over a period of 13 months. Alberto Gonzalez of Miami has plead guilty to playing a role in the TJX hack, and faces charges related to the Hannaford and Heartland hacks.

Going through the motions

schlomo_kramer_crop175pxHeartland “went through the motions without actually implementing a meticulous and rigorous data security program,” says Imperva CEO Shlomo Kramer. “Companies that don’t use PCI as a strategic initiative will cover only credit card numbers and not other data that’s equally problematic to lose like Social Security numbers.”

Kramer notes that the PCI rules only require companies to focus on payment card data; other data-such as social security numbers, birth dates and driver’s license numbers-aren’t covered.

Still, PCI is having a positive impact by “bringing security to the table and forcing companies to think about data protection,” says Kramer. “Many companies-27% in our survey-have used PCI to force data security high onto the executive and corporate priority list.”

Photo of Kramer by Impreva; graphic by http://www.thewebshop.ca/home

By Byron Acohido

Sort by:   newest | oldest | most voted

Hey Byron,

Great post. It makes me wonder if “Security” is dying and if “Risk Reduction” and “Compliance” are becoming the new King and Queen.


Evan Schuman
An interesting piece, but I’m not sure what this says that isn’t already widely known, at least in retail circles. Your first bullet (“strategic initiative”) makes sense because PCI procedures are by definition highly tactical, just like Sarbanes-Oxley procedures or HIPAA forms. So the fact that most retailers don’t see it as strategic makes perfect sense. I’d be more interested in hearing from the 29 percent who said that they thought it was strategic and asking them how they’re defining strategic. The “55 percent only focus on credit card information” is sort of confusing as the story is about PCI… Read more »
Matthew Moynahan
The information in the Imperva study, as well as those contained in the Verizon reports, are also related to and corroborated by a recent study performed by Veracode in partnership with Forrester Research. That study revealed that exploitation of vulnerabilities in software is a major cause of data breaches. 62% of companies in the survey responded that they have experienced security breaches which exploited vulnerabilities in software in the last 12 months. So, how does this relate to PCI? Well there seem to be several systemic issues that are hindering the mass adoption and successful implementations of PCI. Certainly one… Read more »
Steve Moyle, Secerno
I was on the Webcast from the Heartland CEO about their breach. Heartland were NOT simply going through the motions with PCI. They were investing in security – at the same rate before and subsequently. He was not simply paying lip-service to the standard. Security is just a fiendishly difficult thing to achieve – the defender must prevent all attacks whilst the attacker only needs to get lucky once. I agree that PCI is not taken seriously by all firms – and many hide behind the words of the standard rather than embracing the spirit of it. For those firms… Read more »
Philip Lieberman
Hi Byron, I agree wholeheartedly about your position on PCI. Inherently it is band-aid on a gigantic open wound that needs a much stronger solutions. Outside of the United States, banks and credit card processors have implemented security measures such as smart credit cards and PIN generators for consumers. These measures make the recording of credit card information useless to hackers and criminals. Unfortunately the credit card industry here in the USA felt it was cheaper to force PCI on merchants and fine them for breaches instead. The idea of protecting personal sensitive data (such as driver license information and… Read more »
Jason Miller

This just shows how companies are accepting risk instead of mitigating it. The numbers in these reports are absolutely astounding.

Is this the case of too many companies who would rather pay the fine than implement security measures? In other words, they would rather pay the $500,000 fine than implement a $2,000,000 security rollout. Is the focus lost on consumer protection in lieu of the bottom line for board members?

One can only hope that PCI continues to grow beyond its current standards and will be addressed with stiffer penalties.

Jim Hurley
Most external auditors won’t laugh in public about PCI, but they don’t gush with praise about it either. We are likely have additional reports of organizations in compliance with PCI but that have suffered the loss or theft of customer data, credit card information included. The reasons for this include: 1)PCI is only a snapshot of the practices at the time of the assessment 2)PCI is an assessment, not an audit So what can you do if you have pass a PCI audit and want it to mean something? Avoid getting trapped by the chimera of checking off the PCI… Read more »
David Berman
To summarize comments presented by several others, PCI compliance can never be the goal of the organization but, compliance is an outcome of a sound security program that is periodically assessing the risk of all forms of internal and external data breaches. The PCI data security standard has heightened security awareness but, the council’s ongoing development of the standard is a clear signal that it can not be relied upon as an organizational framework for a complete network and data security program. Processes and systems need to be put in place that allows organizations to enforce both corporate and security… Read more »
Aaron Aubrecht
The PCI Data Security Standard is a great start in helping institutions ensure they take appropriate measures to protect customer information. However, for many organizations, PCI has become a classic case of confusing the means with the end. A holistic enterprise security program requires addressing four key elements: protecting the infrastructure, protecting the information, effective systems management, and developing and enforcing IT policies. On this last point, developing and enforcing IT policies, considerable research has been done that shows that companies with a structured governance approach – starting with a clear and well communicated set of security objectives, then leveraging… Read more »
Mandeep Khera
Hey Byron Great topic and nice coverage. It’s certainly got a lot of people’s attention. I have to agree with some of the comments above but disagree with some of the others. – First, PCI is a great step forward and yes it’s ambiguous and not perfect. But, I am attending the PCI council meeting this week and I am very pleased to see the council’s openness on receiving feedback so they can improve the standard. I think it’ll only get better. – Before PCI, most of the regulatory standards including GLBA, SOX, HIPAA, SB1386, AB 1950, etc. were even… Read more »
Tim Brown
Byron – great article with frustrating ramifications. I think you’ve nailed two key issues: (1) for larger, more mature enterprises, PCI is not a complete security practice; and (2) for smaller companies, the risk (and impact) of a data breach is very much prevalent today and only going to get worse. For larger enterprises, I agree with Mr. Kramer that PCI is only about protecting what the credit card companies want to protect…it’s a watered down version of broader standards such as ISO 27002 for sure, but the good news is that any CIO/CTO can implement PCI without involving (and… Read more »
Eran Livne
Hey Byron Very interesting post. Forrester report from last year asked IT security organizations about the importance of different IT security issues, the report indicates that regulatory and compliance ranks in the 7th place (out of 11). I believe this finding is also aligned with this post statement. But even though most organizations consider the PCI 12 requirements as “checkboxes” that the IT is require to tick – PCI has a very positive impact on organizations security. One benefit of PCI for organizations is that PCI takes into consideration high and real security risks that are not always been viewed… Read more »

Here we are a year on after the original post. To be honest, PCI compliance has not really made the headlines in the UK.

Of course, the major bluechips have implemented
the standards are are compliant.

Getting the message accross to SME’s and small startups is like banging my head against a wall sometimes.

People don’t realise the implications non compliance would have on their business. Of course, once a breach occurs – its too late!