Verizon’s Strategies for Reducing the Risk of a Data Breach
Verizon Enterprise Solutions recently released its 2015 Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Report, which suggests key strategies that clients can use to make compliance easier, more effective, and sustainable, therefore reducing an organization’s risk of a data breach.
Background
PCI Security Standards consist of a set of standards created to ensure that service providers and merchants who use credit and other purchasing cards have specific safeguards in place to protect cardholder data. The standards do not constitute law (except in a few states), but instead represent conditions of participation for parties using the vast majority of cards in the world, such as Visa, MasterCard and American Express. Using extensive data and thousands of assessments, Verizon issues annual reports quantifying compliance with these controls.
Why is compliance important?
Many businesses see the level of effort needed in becoming and remaining compliant as a burden because there is no tangible benefit to be seen. What they are not factoring in are the costs associated with data breaches and the benefit that can be achieved from the process reengineering and automation that is done to reach compliance. Data breach costs can include:
- Fines for non-compliance;
- The monetary costs of repairing the damage to customers after a breach; and
- The reputational damages that a breach can cause.
While compliance benefits include:
- Improved quality and speed of tasks performed;
- A reduction in errors in processes; and
- The decrease of redundancy in tasks within the organization.
Making compliance easy and effective
Verizon outlines a few strategies that can be utilized to make compliance easier and more effective. These include:
- Reducing the scope to which PCI applies; and
- Automating processes by leveraging the latest tools
To make compliance easier, Verizon recommends using scope reduction techniques to reduce the scope of the cardholder data environment (CDE) that is subject to the intensive authentication and monitoring controls expected in a PCI DSS-compliant environment. Verizon suggests that clients create a fully documented data flow diagram that will help identify all systems in the organization’s environment. From this process clients classify the scope of their CDE. By removing systems that don’t affect the CDE from the CDE scope, an organization can avoid the significant costs and efforts of regular compliance activities and annual assessments specific to PCI DSS compliance. Scope reduction should be a careful, thoughtful process that involves interdepartmental communication and collaboration.
Systems automation is another strategy that can ease the compliance burden. As an example, Verizon suggests investing in logging, monitoring, and testing software to test that security systems are working as intended, and to monitor logs that can help detect early signs of a data breach. A company can chose to outsource the tools used to increase automation or they can maintain them in-house, depending on the resources and capabilities of the business. Should a business choose to outsource these services to a third party, a strong vendor management process is important to clarify which party is performing the activities critical to remain compliant. Verizon has found that many companies thought that their third party service provider was performing a vital activity, when in fact, they were not. Written agreements can help define each party’s responsibilities and ensure that all controls are being met.
Making compliance sustainable
Once a strong compliance framework is created, it must remain sustainable within the organization over time. In order to do this, the organization must work to maintain the systems and processes it has worked so hard to develop.
Compliance expenditures do not have to be looked at as merely a cost of doing business, but should be looked at as an investment that can improve overall business performance and better manage risk. Not only do compliance activities help a business by building trust with their clients through demonstrating their commitment to protecting their data, but they also help a business gain operational efficiencies from redesigning and automating key processes and mitigate the risks associated with handling sensitive data on a day to day basis, therefore reducing the risk of a data breach.
If you would like to discuss further, please call your BNN advisor at 1.800.244.7444.
Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, investment, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.
