Compliance complacency: How ‘check-box’ compliancy remains a pitfall for many organizations worldwide

Year to year, systems that handle and transmit payment card data remain a key area of concern for merchants and organizations of all sizes. In 2011, credit and debit card payments are fully established as common currency for both traditional brickand-mortar merchants, as well as e-commerce merchants who operate exclusively in the digital marketplace. Now, perhaps more than any other time in history, a merchant's good name and reputation are increasingly tied to its ability to provide and demonstrate security around its payment systems environment. To that point, payment card transaction security controls are (and should be) an obvious concern to any and every merchant e and for nearly the last half-decade, merchants around the world have strived to achieve full compliance status with the Payment Card Industry Data Security Standard (PCI-DSS). Unfortunately, "security" and "compliancy" are not always necessarily the same thing, and many organizations that suffer data breach events come to realize that although they achieved "compliancy," their measure of "security" fell behind. In effect, these organizations simply became complacent. This article will explore the nature of "Compliance Complacency," and how it can lead to security and data breach events if left unchecked. To reinforce these points, this article will draw on case statistics outlined in the 2010 Data Breach Investigations Report published cooperatively by the Verizon Business Forensics and Investigative Response Team, and the United State Secret Service.

Each year, as more and more merchants and service providers develop, roll-out, and work to maintain PCI compliant payment systems and business processes, there has been a noticeable increase in level of organizational complacency around securing critical payment-related systems. This complacency is intrinsic in the "check-box" compliancy mindset. That is, as long as the specific compliancy requirement is met and achieved (and the audit box is checked), the organization no longer needs to remain continually vigilant around securing their systems environments. Essentially, many organizations are taking on the attitude that by meeting and achieving PCI-DSS compliancy standards, they are automatically categorized into a "hacking-free safe zone." That, by meeting the necessary