Card data security has to become a 24-hour priority for businesses, not just when PCI compliance assessors come around for annual checkups, according to the Payment Card Industry Security Standards Council.
The council, which maintains the PCI data security standards, is providing a new guidance document outlining the best practices for incorporating security practices into daily business processes.
Past research has shown that businesses tend to get lazy about complying with data security standards throughout the year, said Troy Leach, chief technology officer for the council.
Verizon's recent PCI-DSS report indicated that when a qualified security assessor returned to a merchant that met PCI compliance the year before, only one in 10 merchants actually met all of the requirements on the following visit, Leach said.
"Once they are audited and the assessment is done, the merchant will put security on the backburner and wait until there is another obligation to demonstrate security," Leach said.
Such a practice means card data will be less secure, but it also indicates inefficiencies in security policies, Leach added.
Companies that do multiple security checkups during the year actually save money, Leach said. "It's about 55% overall on their compliance expenditures, because things were less likely to go off path," he added.
The guidance focuses on security and risk assessments, while promoting continuous monitoring of systems. It encourages merchants to be proactive in looking at new emerging threats.
"Most importantly, they should be measuring the effectiveness of those security controls," Leach said. "You can only improve and show the value of security inside of a business when we have demonstrative evidence that what we are doing is working."
Merchants are slowly but increasingly learning more about their security obligations, mainly because each week seems to bring news of a new merchant breach, said Julie Conroy, senior analyst and fraud expert with Boston-based Aite Group.
"It's certainly catching on with the bigger merchants, but our big challenge is still the small and midsize merchants who don't make the headlines," Conroy said. "Many of them think this is still the big guys' problem."
The recent PCI 3.0 standards acknowledge that most breaches were not sophisticated attacks, but intrusions made possible from neglect of simple security measures, Conroy added. "They were attacks in which they are picking up the low-hanging fruit."
The new PCI guidance focuses on "people and processes," which tend to be the weak points in any type of security system, Leach said.
"Security is a process, and unfortunately a process is boring, routine and institutional, and that makes it a challenge to stay diligent," Leach added. "It has to be a daily exercise, but it can fall by the wayside."
When a company faces a change in personnel, equipment or technology, it should conduct a full risk assessment to determine the effects of those changes, Leach said.
"Too many say they will do the risk assessment when the QSA comes in the door and tells them what those risks are."