The word “compliance” rings out across the payments industry like a clanging bell that cannot be silenced. It might be better compared to the bell of a town crier yelling out a list of demands on behalf of an absolute ruler. The presumption is that to be compliant is to be protected, so merchants follow the orders. But as breach after breach hits the headlines, it has become clear that compliance is not a synonym to security.
In fact, comparing compliance to security has always been an uncomfortable pairing. That’s because, by the very nature of the word, compliance implies a checkbox approach to security. The verb “comply” comes from the Latin complere – “to fill up.” So complying with a security standard literally means filling up that standard by checking off all of its requirements. This would be great if there were a standard that offered 100 percent (complete) security, but security experts around the globe agree that complete security is a fallacy. So, the belief that complying with a security standard will guarantee your security is akin to trying to fill up a bucket that has a hole in the bottom. It may work for an instant, but the moment you stop adding water, you will no longer have a full bucket and, for the sake of our analogy, you will no longer be in compliance.
Verizon (News
- Alert) Enterprise Solutions’ 2015 PCI Compliance Report paints a clear picture of this reality. According to the report, 80 percent of merchants assessed as PCI (News - Alert) compliant last year fell out of compliance within one year of their assessment. Verizon’s report also stated, “Of all the companies investigated by our forensics team over the last 10 years following a breach, not one was found to have been fully PCI DSS compliant at the time of the breach.”
It becomes obvious here that just “filling up” the compliance bucket won’t work, because there’s a hole in it. Instead, you need constant monitoring and the steady addition of water to keep that bucket full. This persistent stream of effort is the difference between compliance and vigilance. Vigilance comes from the Latin vigil, which means “watchful, awake” and from vigilantem, which adds “anxious and careful” to that definition. Vigilance is the answer to our security woes. It is what will ultimately stop the breaches that have run rampant over the past 18 months. Unfortunately, it is not a simple solution.
That’s because it is a solution that demands significant effort and expense. Vigilance requires constant improvement – not a “one-and-done” approach. For Shift4, it requires that four percent of our gross revenues (not our net profit – our overall gross) be reinvested immediately into security. It is the reason that we have nearly a dozen Certified Information Systems Security Professionals (CISSPs) on staff, when most payment organizations 10 times our size only have one or two.
Too many companies throw together a new program and then try to bolt on an existing security solution that may not fit perfectly simply to be first to market. This is neither careful nor anxious – and therefore not vigilant. Payment gateways offering lightning speed onboarding may seem similarly appealing on first glance, but this is in no way means that the service provider has been cautious and watchful every step of the way to ensure the solution meets the needs of a merchant’s unique payments environment.
Being vigilant sometimes means standing in opposition to industry standards bodies when they seek to apply a single standard and then require that merchants modify business practices and technologies to comply with it. Compliance should come as a natural result of security, not instead of it.
As organizations embark on the journey toward vigilance, some will realize that true vigilance may be unattainable without outside assistance. For nearly all small businesses—and even most mid-sized businesses—the resources required for around-the-clock monitoring of your card-data environment are cost-prohibitive. Even for many of the large merchants, assuming full responsibility for their own customers’ data is too great of a risk, with little to no payoff. This is why for many businesses, the wisest and most vigilant decision is to entirely remove the burden of protecting cardholder data by ensuring that payment data never enters your environment in the first place. When you do this, it is essential that you entrust a company with a track record in the payments industry and an uncompromising commitment to maintaining the strictest security in terms of protocols and product development on your organization’s behalf.
In the final analysis, vigilance is becoming a business necessity. Cyber criminals have demonstrated their mental agility time and again, breaching security standards right and left to achieve their goal: the theft of your card data. Vigilance is expensive, but compliance alone, as demonstrated by all those headlines, can cost much more – both in terms of finances and reputation.
Dave is the president and CEO of the Shift4 corporation. Dave is a hands-on manager who enjoys jumping into projects alongside his technical staff. An accomplished businessman, Dave has more than 35 years' experience in software development and accounting, spent mainly on overseeing software companies. Prior to founding Shift4, he was CEO of the Aerus Corporation, a pioneer of business accounting software, and owner of a successful consulting firm.