The general manager of the Payment Card Industry (PCI) Security Standards Council has outlined how simply being PCI compliant does not make you invincible to fraudulent activity.
Bob Russo, from the United States, was speaking at the Cards and Payments Africa 2013 conference, where he said companies make the mistake of believing just because they are PCI compliant they are also completely secure.
Although 96 per cent of worldwide breaches happened to companies that were not PCI compliant at their last assessment, Russo said weak passwords, lack of employee education and security deficiencies by third parties responsible for system support were among the most common downfalls.
Russo said: “Everyone is talking about about malware, that there is so much malware out there. Yes, but how do they get it into their business or systems? You can stop that quite easily.
“If you do basic security things to protect your perimeter, then you stop them from getting the malware in there.”
Russo gave the example of his ‘secure’ house in New York, which metaphorically is completely PCI compliant with window bars, a dog, double door and gate locks and an alarm system.
However, because it was warm one night last year he left a window slightly open, which automatically disabled the alarm system.
He added: “You need to build up levels of security so if they breach one level, then the next one will stop them.”
