Does Passing a PCI Audit Guarantee Effective Operational Security?

By Eric Noonan • February 10, 2016

You may have heard about the recent breach involving payment card data from cards used onsite at certain Hyatt-managed locations.  According to Dark Reading, the “at-risk window” may have existed as early as July 30, 2015, with identified fraud being documented from August 13, 2015, to December 8, 2015. The malware responsible captured cardholder data while being transferred from the onsite processing location to the compromised system.

Post-breach, Chuck Floyd, global president of operations for Hyatt, said: “…we want to assure customers that we took steps to strengthen the security of our systems in order to help prevent this from happening in the future.” While we can’t know for sure that statement implies that operational security controls were enhanced as a result of the breach, the question is, beyond the routine PCI-DSS assessments, were operational controls proactively reviewed and strengthened?

Many organizations focus security efforts around passing an audit, which can detract from achieving an actual effective security program.  One of the key takeaways resultant of the Hyatt breach is the importance of aligning security compliance with operational security.

Why Passing a PCI-DSS Audit May Not Be Enough

Compliance with standards and regulations like the PCI-DSS should serve as a baseline for security, but passing an audit does not guarantee effective operational security practices. PCI compliance assessments, in particular, are limited in scope, generally focusing only on computing environments, systems, system components, and processes that are involved in the store-process-transmit territory of cardholder data.

Focusing on the cardholder data alone can leave a business at risk when it comes to applying security in other areas – and a PCI assessor is only obligated to assess the security controls applied to the environment where cardholder data processing occurs.

Great effort is made by organizations to ensure cardholder data is processed in an isolated, segmented environment, ensuring that PCI requirements are only applicable in that narrow scope.  However, if the approach to security is pass-the-audit, any inaccuracy in PCI environment scoping can put cardholder data at risk, along with any other non-cardholder sensitive data that resides outside the audit area of focus.

How to Effectively Secure Your Sensitive Data

Although it’s unknown what caused this particular breach, aligning your compliance efforts with day-to-day operational security efforts to produce an integrated view of risk is the right way to secure sensitive data.  If you are unsure where to begin, check out CyberSheath’s blog post on the 3 Steps to Secure Your POS, which highlights three steps to get you started in the right direction. CyberSheath also offers security assessment services, providing a complete analysis of the strengths and weaknesses present in your current environment.

CyberSheath Blog

2022 in Review: The CyberSheath Story Expands

This year marked a deluge of messaging about the Cybersecurity Maturity Model Certification (CMMC) and federal contractors were rightfully confused. With our keystone event, CMMC CON, we aimed to set the record straight and offer the best guidance for those in the Defense Industrial Base (DIB).   CMMC CON 2022…

CyberSheath Endorsed by Frost & Sullivan in First Independent Analyst Commentary on CMMC

Independent analyst firms have weighed in with commentary on nearly every discipline of information technology. Security has garnered a large portion of that IT discussion, yet until recently, Cybersecurity Maturity Model Certification (CMMC) compliance has been left out.   Frost & Sullivan changed that by selecting CyberSheath as its preferred…

Be Prepared: CMMC 2.0 Is Coming

Cybersecurity is increasingly important to safeguard your company, your customers, and your partners. We're moving into a global cyber era and we've got to get better at protecting ourselves.   Our adversaries are capitalizing on the lack of security controls in place in the defense industrial base (DIB) and we…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO