In 2001 we received a phone call from a fellow at Visa Canada heading up the new AIS (Account Information Security) program suggesting we should hire one of the firms they had licensed and have our systems assessed for security compliance against their new AIS In Canada and CISP in the US.
I took a look at the assesors, got some quotes, laughed and called him back. My answer was..."when you find a reasonably priced assessor we will go through the process, but I am not paying $100,000 to one of your licensed firms so we can teach them online payment security.
You see our company Strategic Profits Inc. was one of the pioneers in the online payment space back in 1996/97 and we created our processes, policies and methodologies based on security and privacy first. Our applications and systems were built with security in mind, never convenience or revenue first...
In 2003 we had a reasonably priced assessor recommended by Visa come through our systems. It was supposed to be a two day onsite. Our assessor was flabbergasted by our documentation and how secure our servers and applications were created, implemented and maintained. He took one day and could find nothing wrong. He told us in all the years he had been assessing he had never seen a company with the correct documentation for every aspect of how we built and maintained our apps and systems or that the processes we wrote were actually in place and maintained.
We were stunned as we thought everybody looked at security like we did. How could an organization not consider the security of their systems critical so that the organization could assure that their clients privacy and sensitive data was protected.
Needless to say Strategic Profits Inc. was pronounced AIS/CISP compliant in 2003 and in 2004 the entire C.N. Wylie Group of Companies as well, compliant without remediation for each and every year since. The reason, since 1994 our founding year we believed in Security First, maintaining our systems and apps on a daily basis.
That compliance date you see on an Attestation of Compliance is a snap shot picture that within that time frame the organization is deemed compliant. But what is the organization really doing on a daily basis to maintain their security? Does the C-suite really understand the critical security culture and mindset their IT team needs to have to create security first. For small companies do they understand how to find only those service providers that are PCI DSS compliant to handle their sensitive data.
Well you all have seen that as the year 2014 is closing out, breaches are up over 48% over last year. That is appauling to us as the AIS/CISP and its new incarnation of PCI DSS and PA-DSS has been in place since 2001/02!
What I find interesting is this huge focus on the annual date for PCI or PA DSS compliance. The date is just a target because in order to be secure your policies, processes and methodologies are a day to day undertaking. As an organization you are in and out of compliance depending on the vulnerabilities that come out and how fast you can remeadiate them...There was a time when you could take 3 months to fix a vulnerability...LOL...are you kidding me..in that time you would have been robbed blind. If you don't remeadiate in real time or as close as possible you will get compromised. And if you don't have policies in place to that effect you will and probably already have been compromised. Who would allow a requirement like that for security....people that don't understand security and the need for real time process adherence.
So many organizations still haven't heard of PCI or understand the need to create a security culture within for each staff member. Social engineering remains one of the top ways for organizations to be breached. If the Card Brands had enforced their "mandatory" PCI requirements laid out in 2004 for level 1,2,3,4 merchants and level 2 service providers we would be a lot farther along in our pursuit of a proactive approach to security rather than the reactive strategy that still rules our industry...
I am grateful that Visa has finally decided 12 years into this great program that its worth getting tough with enforcement on security in all organizations. No more Paper Tiger...LOL..I can only hope!! Education and training to create a security culture as a priority one business case no matter how big or small your company or charity is will get us to proactive approaches to secure our industry.
Oh and just sayin...its almost 2015 - Technology has advanced enough that we don't need card numbers anymore...So why do the Cards keep producing credit cards with numbers to steal....Hellooooo..