Let me preface this post by saying this is not intended to take shots at either Global Payments or the PCI DSS. Rather, this post is intended to generate discussion and discourse on the topic of compliance and risk management.
According to reports, it seems that the Global Payments data breach may have exposed more than payment card data. n a June 12 update posted to its breach microsite, Global says hackers may have gained access to servers containing personal information collected from a subset of merchant customers.
“The company will notify potentially affected individuals in the coming days with helpful information and make available credit monitoring and identity protection insurance at no cost,” Global says. “The notifications are unrelated to cardholder data and pertain to individuals associated with a subset of the company’s U.S. merchant applicants.”
Based upon this statement it seems fair to assume that Personally Identifiable Information (PII) such as Social Security number and Bank Account information may have been exposed, as well.
This situation exposes the danger of using a narrowly focused, static standard as a baseline of security management rather than adopting a risk based approach to data security. I have personally conducted over 100 PCI DSS audits and have seen first hand the resources consumed by the standard. Companies often appear so laser focused upon protecting payment card data that other systems and data may take a back seat in the pursuit of “PCI DSS compliance.” As there are significant penalties associated with non-compliance that it is difficult to blame the merchant or service provider. The penalties are designed to compel compliance with the standard. As such, companies are going to give precedent to the PCI DSS over any other standard that does not have equivalent penalties associated with non compliance.
As a reminder, the PCI DSS is ONLY focused protection of Cardholder Data. Surely some are going to say that the PCI should be applied across all systems etc.etc. This is great in theory but does not happen in practice. Companies take great pains to minimize their cardholder data environment specifically to lessen the compliance burden.
I am sure we will continue to see breaches of payment card companies having PII exposed as companies focus on PCI to the exclusion of risk based security management.