Executive Insight: The Cost of Vigilance Versus Compliance
By Steve Sommers – Senior Vice President of Applications Development, Shift4 Corporation
If there’s one word we hear too often in the payments industry, it’s “compliance.” Too many security officers, IT directors, and other business leaders hold to the term like Linus from the Peanuts gang clings to his blanket. And – as dozens of major breaches over the past few years have proven – compliance offers them about the same guarantee of protection as a child’s security blanket.
Compliance has never been the right term to pair with security. Why? Because at its root, it implies a checkbox approach to security. The verb “comply” comes from the Latin complere – “to fill up.” So complying with a security standard literally means filling up that standard by checking off all of its requirements. This would be great if there were a standard that offered 100 percent (complete) security, but security experts around the globe agree that complete security is a fallacy. So, the belief that complying with a security standard will guarantee your security is akin to trying to fill up a bucket that has a hole in the bottom. It may work for an instant, but the moment you stop adding water, you will no longer have a full bucket, and, for the sake of our analogy, you will no longer be in compliance.
In the payments industry, this fact was perfectly (although painfully) illustrated by the 2015 PCI Compliance Report, published by Verizon Enterprise Solutions. According to Verizon, 80 percent of merchants assessed as PCI compliant last year fell out of compliance within one year of their assessment. Verizon’s report also stated, “Of all the companies investigated by our forensics team over the last 10 years following a breach, not one was found to have been fully PCI DSS compliant at the time of the breach.”
Clearly there’s a hole in the PCI compliance bucket, so just filling it up to the level of compliance is not sufficient. Instead, you need constant monitoring and the steady addition of water to keep that bucket full. This persistent stream of effort is the difference between compliance and vigilance. Vigilance comes from the Latin vigil, which means “watchful, awake” and from vigilantem, which adds “anxious and careful” to that definition. Vigilance is the answer to our security woes. It is what will ultimately stop the breaches that have run rampant over the past 18 months. Unfortunately, it is not a simple solution.
Vigilance requires great effort and great expense. It requires constant improvement – not a “one-and-done” approach. For Shift4, it requires that 4% of our gross revenues (not our net profit, our overall gross) be reinvested immediately into security. It is the reason that we have nearly a dozen Certified Information Systems Security Professionals (CISSPs) on staff, when most payment organizations 10 times our size only have one or two.
Our vigilance is also evident in our product development. We are not always first-to-market because we take the time to do things right and to ensure that our products have security built in from the very beginning. Too many companies throw together a new program and then try to bolt-on an existing security solution that may not fit perfectly. This is neither careful nor anxious – and therefore not vigilant. And, it is evident in our onboarding process; we freely admit that we are not the quickest or simplest gateway to get started with, but that is because we are cautious and watchful every step of the way.
Finally, our vigilance is the reason we are so often at odds with the industry standards bodies when they aim to apply a single Draconian standard and then haphazardly force merchants to modify business practices and technologies to comply with it. This is not how we operate. Instead, we provide security solutions that are tailored to our merchants and their unique business needs. We believe that compliance should come as a natural result of security, not instead of it.
The greatest challenge on the road to vigilance is realizing that for some, true vigilance may be unattainable without outside assistance. I understand that for nearly all small businesses – and even most mid-sized businesses – the resources required for around-the-clock monitoring of your card-data environment are cost prohibitive. Even for many of the large merchants that we work with, assuming full responsibility for their own customers’ data is too great of a risk with little to no payoff. This is why for many businesses the wisest and most vigilant decision is to entirely remove the burden of protecting cardholder data by ensuring that payment data never enters your environment in the first place. When you do this, it is essential that you entrust a company with a proven track record in the payments industry and an uncompromising commitment to maintaining the strictest security in terms of protocols and product development on your organization’s behalf.
By implementing Shift4’s True P2PE™ point-to-point encryption solution, merchants can prevent card data from ever getting past the secure swipe device – meaning it never enters your point of sale, networks, etc. – and when that is layered with TrueTokenization® to prevent the long-term storage of card data, merchants can entrust their sensitive data to an organization that is ever-vigilant and committed to the relentless pursuit of security.
Ultimately, in an era of organized criminal attacks against card data environments and state-sponsored attacks on businesses, you cannot afford not to be vigilant. If costs or business structure precludes you from maintaining this level of security, then it is your responsibility to find a partner who can provide it for you. Yes, vigilance is expensive, but compliance can be much more costly.