If a Qualified Security Assessor tests–and passes–a business for payments security compliance, that business may feel it could rest on its laurels.
Big mistake, says Mathieu Gorge, managing director at Vigitrust Ltd., an Ireland-based information technology security provider.
Indeed, a merchant or merchant acquirer will become fully engaged in Payment Card Industry Data Security Standard compliance when working with an assessor, but after the assessor “goes away” the security standards and policies can slip, Gorge says.
That’s a dangerous gap facing the payments security industry, he adds.
To close that gap and to address the weak spots in a company’s security system, Vigitrust is partnering with Paris-based Verizon Enterprise Solutions LLC to offer a wide range of compliance services designed to help businesses, financial institutions or payment providers strengthen security policies and personnel, the companies announced July 9.
The companies intend to provide security and compliance services through face-to-face training and Web-based sessions for technicians in need of secure coding training, Gorge says.
“If the users of the payments systems are not educated, then being compliant from a technical standpoint doesn’t really make you compliant,” Gorge contends.
Verizon’s major emphasis is the contention that security is an ongoing process in need of ongoing education and training, says Rodolphe Simonetti, head of risk and compliance professional services at Verizon Enterprise for the Europe, Middle East and Africa regions.
The Vigitrust and Verizon training provides tools that reinforce security policies and measures “because compliance is not the final point,” Simonetti says. “You have to manage security properly to lower your exposure to breaches.”
Vigitrust will offer European customers Verizon’s full portfolio of qualified security-assessor services, including PCI security project initiation, and compliance remediation, validation and certification, Gorge notes. In addition, the partnership allows Vigitrust to help businesses manage and maintain security systems, he adds.
Verizon works through Terremark Worldwide Inc., an IT infrastructure software company Verizon purchased in the past year, to deliver an array of risk and compliance applications onsite or through a cloud-based service, Simonetti notes.
Because a recent Verizon study found that 96% of businesses experiencing a data breach in Europe were not PCI compliant, companies need more thorough training from a “coach” who is always available, Gorge suggests.
In fact, companies tend to get off on the wrong foot simply by not applying a security policy that fits their business, he contends.
“A policy designed for a larger merchant ends up in place for a smaller merchant, and it becomes difficult to educate those employees,” Gorge says. “How can you educate the staff if the policies are wrong to begin with?”
As an example, Gorge says a fast-food restaurant may set up a security policy that written originally for a health care agency because someone at the restaurant copied a policy he found online.
“Some aspects of security policies are global in use, but some aspects may not be suitable for certain businesses,” Gorge adds. “I have seen a business in Europe that probably Googled a security policy from a Texas company and just did a cut-and-paste replacement to make it their policy.”
True compliance starts with establishing a policy that fits the business, Gorge notes. This occurs after careful study of a company’s technical diagram for payments and a business diagram outlining personnel and their decision-making roles.
Trainers must know company personnel and who performs which tasks as it relates to data security, he adds.
“We never see a computer server attacking another server,” Gorge contends. “We see someone who has configured a server to attack another server.”
Web-based training of employees is “only as effective as the security policy surrounding it,” Simonetti notes.
Web-based learning and testing can be an effective way for employees to learn about and reinforce a company policy, and they allow managers to monitor where potential security weaknesses could occur, Simonetti adds.
Gareth Lodge, a London-based industry analyst with Celent, says Vigitrust and Verizon are targeting an important aspect of security.
“Security is only as strong as its weakest link,” he suggests.
A large retailer relying on staff that is perhaps young or poorly paid, and turns over regularly, may face potential security issues regardless of the technology in place, Lodge adds.
Zil Bareisis, also a London-based senior analyst for Celent, says companies can’t be fooled into thinking payment card technology will provide all of the security answers.
“Having an EMV smart card does not eliminate the need for strong security policies or a company culture of being aware of security-related issues,” he says.
Payments processor First Data Corp. unveiled
In addition, the PCI Security Standards Council announced a
