Companies should go beyond PCI DSS compliance, says Layer 7

Walston cited the 2011 PCI DSS Compliance Trends Study, which found that 88% of respondents believed that PCI DSS compliance either did not reduce the number of data breaches that their organizations experienced or were not sure whether it had an effect on data breaches.

“Clearly, PCI DSS is not a catch-all; it doesn’t solve all your problems”, Walston told Infosecurity. “In some cases, you can think you have very secure exchanges of card holder information, and in fact not have that at all. That is one of the gross exaggerations people have about PCI DSS — if you implement PCI DSS, do an audit, pat yourself on the back, and say it’s all done, you’re somehow considerably safer than you were before”, he added.

The 2011 PCI DSS Compliance Trends Study, conducted by the Ponemon Institute for database security firm Imperva, surveyed 670 US and multinational IT security practitioners on PCI DSS compliance.

The survey found that only 33% of respondents believe that expenditures on PCI DSS compliance add value to the organization. Half of respondents said that their organization views PCI DSS compliance as a burden. For a fuller discussion of the survey results, see Infosecurity’s April 25 coverage.

Walston said that the increasing use of mobile devices to conduct credit card transactions is complicating the credit card security issue. “Right now, a number of our customers want to open up their APIs [application programming interfaces] because they believe it is a path to money. MasterCard, for example, is in the process of opening up their developer APIs”, he noted.

“The credit card companies believe they are behind on this…So they have this conflicting issue. On the one side, they want to make their APIs open so that developers can write cool apps that drive volume through their network. At the same time, they want to lock down the security”, he said.

Walston said that Layer 7 Gateway offers protection for companies beyond PCI DSS compliance. The Gateway authenticates, authorizes, and encrypts communications with external entities. Through various pattern recognition mechanisms, it inspects outgoing messages to filter out unwanted card holder information leaking from internal systems.

“It’s not just about protecting cardholder information in terms of encryption or tokenization, you also have to be very serious about the systems themselves”, Walston added.

What’s Hot on Infosecurity Magazine?