Phillip Smith, Senior Vice President of Government Solutions, Trustwave: "Going Beyond PCI"

Security is no longer ‘just an IT problem.’ As revealed in our recently released 2014 Security Pressures Report, 50% of more than 800 full-time IT professionals surveyed said their owners, boards of directors and C-level executives are applying the most pressure when it comes to security and it doesn’t stop there. Security has now become a Congressional issue.

On February 5, 2014, Trustwave was asked to present expert testimony before Congress about data breaches and malware attacks. In light of the recent string of high profile data breaches, the House Committee on Energy and Commerce held the hearing to get a better understanding of how data breaches occur and how they can be prevented. I presented the testimony and focused on one major theme – the importance of businesses going ‘beyond PCI compliance,’ using the Standard as a starting point, not an ending point when building their security strategies.

In today’s internet-connected world, threats are more complex than ever. Hackers are going after businesses of all sizes and across all industries. According to the 2013 Trustwave Global Security Report, cardholder data was the primary data type targeted by attackers in 2012. There is a well-established underground marketplace for stolen payment card data where criminals may get up to USD 50 per card; multiply that by millions and you can see how selling payment card data can be a lucrative business.

The PCI DSS continues to play a critical role when it comes to data security. The Standard has increased awareness and given businesses guidelines for basic security controls to protect cardholder and personal data. However, in today’s environment, where the threat landscape is more complex than ever and new business-improvement technologies are introduced every day, keeping up with and complying with the Standard simply isn’t enough. While the Standard helps businesses deploy some essential security controls, it doesn’t cover security around every attack vector, such as security surrounding targeted malware, mobile devices and cloud technology.

In addition to complying with the PCI DSS, businesses must also use a defense-in-depth approach to security consisting of multiple layers of defense, detection, response and ongoing testing. The strategy should include incident response preparedness, security awareness training, risk assessments and ongoing penetration testing as well as security controls that protect their databases, web applications and mobile payment systems. It should also include anti-malware technologies such as security gateways that help protect businesses in real-time from threats like malware, zero-day vulnerabilities and data loss, and can help organizations use things like web and cloud applications securely.

According to the 2014 Security Pressures Report, 85% of IT pros said a bigger IT security team would reduce security pressures and bolster job effectiveness. If businesses find that they do not have the skills or manpower needed to make sure all of their technologies are installed and working properly, they should look to augment their in-house staff by partnering with an outside team of security experts whose sole responsibility is to manage their security.

If businesses embrace this kind of approach to security, they can better protect themselves against attacks and inherently maintain compliance with the PCI DSS.

About the author

Phil J. Smith is Senior Vice President of Government Solutions at Trustwave. He has more than 14 years of federal criminal investigative and prosecutorial experience, having served as both a Special Agent with the US Secret Service and as a Senior Trial Attorney with the US Department of Justice Terrorism and Violent Crime Section. He was involved in the Secret Services early efforts to combat computer and electronic crime including the gathering of electronic evidence. Phil has significant crisis management experience including extraterritorial matters involving bombing of US facilities, air piracy and the killing of US nationals.