Photo by davethelimey
Ellen Richey, Chief Enterprise Risk Officer for Visa, Inc said the following at the Visa Global Security Summit
"As we’ve all read, the company had validated PCI compliance. But it was the lack of ongoing vigilance in maintaining compliance that left the company vulnerable to attack. Based on our findings following the compromise, Visa has taken the necessary step of removing Heartland from its online list of PCI DSS compliant service providers."
I remember someone asking me when news of this breach first hit the news – "But weren’t they PCI compliant ?" "How could they have been breached, weren’t they secure" ?
I really think the the Heartland Breach is the linchpin event to people of these three important concepts:
- PCI is a baseline of minimum controls that need to be implemented to generally reasonably protect data across the broad spectrum.
- Security goes "above and beyond" the minimum required for compliance and should use a risk based approach specific to your business and operating environment.
- Maintaining compliance must be a ongoing process, it is not a once a year thing.
Case in Point: – a sales professional that I work with, attended the Prepaid Expo USA recently and shared this from his notes on one of the sessions on Prepaid Card Processing:
PCI is NOT enough. It is an ongoing process and we are all playing the "catch up game" much like the anti-virus world.