The following is an exerpt from the prepared testimony Robert Russo’s, General Manager PCI Security Standards Council, gave before the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology of the House Committee on Homeland Security on March 31, 2009.
The Nature of the Compliance Challenge and Process
Validation of compliance with the PCI Data Security Standard can only represent a snapshot in time that coincides with information shared with and interpreted by a QSA during the assessment period. Unfortunately, the dynamic nature of any organization’s systems and network environments can result in a wide variety of actions or inactions that can render a validated system noncompliant almost immediately after a satisfactory compliance report has been issued. As a result, effective compliance is a full-length feature film where the organization is ―compliant‖ at each and every frame of that film. For that reason, the Council believes achieving and maintaining compliance with PCI DSS and continuous vigilance regarding other security practices is an ongoing process that must systematically be integrated into every organization’s development and operational practices and policies in order to serve as the best line of defense against a data breach.
The evidence of data breaches demonstrates that criminal elements continue to manufacture new and inventive ways to compromise security systems, and we can assume that this will continue to be true. The Council, its Members and others are working diligently to secure payment card data against increasingly experienced and organized criminals. In spite of the severity of this continually dynamic threat landscape, the Council believes achieving and maintaining compliance with the PCI DSS is the best line of defense against data breaches.
It is important to note that the Members of the Council report that they have never found an entity that has been subject to a data breach that was also in full compliance with the PCI DSS at the time of the breach. Nonetheless, there is no such thing as perfect security. An organization could very well be compliant on the day its QSA wrote its assessment report, but noncompliant thereafter, at the time of a data breach. Many things can cause the protection to break down– logging rules not being followed, delaying installation of software patches, installing untested software, etc. Any of these examples (and many more) may cause a previously validated company to no longer be compliant, and therefore vulnerable to attack. Organizations must not take solely a checklist approach to security, or rely on periodic validation on a specific day as their security goal, but must instead exercise continuous vigilance and maintain a strict security program that ensures constant and ongoing PCI DSS compliance.