Yet – often for reasons of cost and complexity - many off-the-shelf compliance solutions on the market today have yet to prove themselves from an ROI point of view. Instead firms commonly choose to meet their compliance obligations by developing their own home-grown methods – often involving spreadsheet questionnaires - to manage compliance programmes such as PCI DSS.
While there is nothing wrong with the PCI DSS standard as a set of controls, it is little more than the basic minimum that an organisation should set out to achieve. It should not be a replacement for solid Business-as-Usual (BAU) security practices. One of the biggest data breach stories of 2013 was at US retailer Target where the personal data of around 110 million customers was reported to have been leaked. It is not clear whether Target was in compliance with PCI DSS at the time it was breached but statistically the chances are that it was not. According to Verizon's 2014 PCI Compliance Report only 11.1% of businesses globally were fully compliant in 2013.
PCI DSS compliance is based on a single assessment each year. The assessment represents a moment in time, an accurate verdict made at a single point during a twelve month period. It is not a guarantee of compliance for even the following day let alone for any enduring length of time. There is plenty of evidence to show that many data breaches do occur sometime after a successful PCI DSS audit.
One possible reason for this goes back to the spreadsheet. The spreadsheet for all its versatility is simply part of a largely manual process. In a large-scale compliance audit the spreadsheets cut across all kinds of internal programmes and departments, HR, Finance or IT for example. It is almost impossible to gauge the overall status of a large-scale compliance programme without lengthy and painstaking analysis of hundreds of completed responses. Skilled compliance and risk personnel end up being burdened with manual process administration and are given insufficient insight into trends and anomalies to support business decisions.
This absence of automation in a spreadsheet-based approach is its Achilles heel. A lack of shared obligation or team effort places all of the responsibility for delivering results with the compliance officer. At the same time questionnaire recipients are told they have to complete them although they may not fully understand the criticality of the data they provide. Meanwhile as far as their managers are concerned it’s just another job that has to be done. You have no central visibility of your audit’s status and very little control over the compliance process. In short you end up with something that is little better than an exercise in the pursuit of compliance for compliance’s sake instead of focusing on making security the first priority.