Last week I attended the PCI Security Standards Council’s Community meeting in Las Vegas and there was a lot of interesting discussion. Attendance was good as there was a large group of merchants, service providers, Approved Scanning Vendors (ASVs) (like AlertLogic), and Qualified Security Assessors (QSAs).

One topic that was reiterated and is a theme we have touched on several times is that passing a PCI security audit is not the goal of the standards council. The standards are about security and not compliance. Bob Russo, GM of the Security Standards Council emphasized the need for consistent security practices by making an analogy to locking his car. He made the point that you lock your car every day, not just Monday, Wednesday and Friday. You want your systems ready and monitored so that when someone tries to break into your car- the alarms bells go off.

This was a very appropriate lead in to Chris Novak’s presentation from Verizon Business Security Service’s 2009 Data Breach Investigations. He talked about the point that only 6% of the breaches that were caught in 2008 were through event monitoring and logging. Chris also emphasized the need for companies to be more vigilant in this area. In fact, more than two thirds of the time the data breach was found and reported by third parties.

Chris emphasized how important log monitoring is to identifying data breaches early and preventing large compromises of customer data. The Verizon report makes it clear that online data is the weak point stating “99 percent of all breached records were attributable to compromised servers and applications.” Additionally the fact that most breaches are a result of a combination of events rather than a single attack means that proper log management and review could have caught many of these attacks before they resulted in data compromise. Chris told one breached company that “all the information they needed was right there in black and white in the logs.”

Another interesting topic from the conference was Chris addressing the recent concern that companies who are getting breached were PCI compliant. Chris said a lot of the companies who thought they were PCI compliant during and after a breach actually weren’t. He asserted that all of the data breaches could have been prevented if these companies had actually been compliant.

The Verizon report emphasizes this point as well. The report states that being PCI compliant is critically important to preventing data loss. An overwhelming 81% of the companies that experienced a data breach in 2008 had been found to be non-compliant prior to the breach. Dr. Peter Tippett, Vice President of Research and Intelligence, Verizon Business Security Solutions sums it up nicely in the report:

“This report clearly shows it’s not about clever or complex security protection measures. It really boils down to ensuring the basics are met from planning to implementation to monitoring of the data.”

Companies don’t need to look for the next greatest technology. More often it is about adhering to regular security procedures and policies. Companies should understand that security isn’t about a single event, like passing an audit, rather it is an ongoing process that requires constant attention.