I strongly believe that it does protect cardholder data, if it’s enforced properly throughout the year.
Unfortunately, some people still think that PCI DSS is a silver bullet, which solves all security issues, without additional effort. A week-long assessment, co-signed paperwork and all aspects of security are solved for the next 12 months – that’s how some companies still operate and that’s why they get breached.
So, please consider the following points to improve your security and minimize the chances of your company being breached:
1. Any skilled IT Sysadmin can fool a QSA during the assessment. Systems / servers can be hidden, configuration settings can be tweaked, just to satisfy the QSA during the assessment.
2. A PCI DSS assessment does not prove anything except the fact that a company is believed to be compliant during the timeframe of the assessment, based on the evidence collected. That’s it!
3. Use PCI DSS as a framework to deploy software and hardware, which your staff will use to spot abnormalities, rather than just to satisfy QSAs. Examples: Log Aggregation, File Integrity Monitoring, Intrusion Detection System.
4. Educate your employees and ensure that they do understand the importance of PCI DSS and its requirements. I see lots of frustrated people, who do things automatically to satisfy evidence required for annual audit.
5. Don’t skip requirements. Deploy all mandatory hardware and software. Defense in depth and Layered Security are the only two terms, which can save your company.
6. Always remember: PCI DSS is a bare minimum. Do more! Act faster!