FDIC guarantees your savings deposit.



Jell-O brand gelatin guarantees your satisfaction or your money back.



Apple promises they will fix/replace my iPod if it fails due to defects for the first year.


So what does the Payment Card Industry (PCI) Security Standards Council guarantee?

Does it guarantee that your personal data will not be stolen? Does it give you your identity back if stolen? Does it repair your credit rating? Sorry folks, but it doesn't guarantee ANY of the above.

In the case of the widely publicized Hannaford Brothers security breach, there were 4.3 million customers exposed. According to his open message to customers, Hannaford President and CEO Ronald C. Hodge said they were in compliance "with the highest security standards required by the credit card industry" at the time of the potential breach "" likely referring to PCI standards.

So how could this happen if the PCI standards are designed to protect consumers from exposure? Really what we're asking is, why doesn't PCI compliance guarantee safety from a data breach? Well, simply put, for the same reason that locking your doors and windows at night doesn't guarantee you won't be burglarized. If someone wants in, they will find a way.

As it turns out the Hannaford security breach indicates an inside job. Servers inside Hannaford were infected with malware that would transfer card data overseas as the cards were swiped at the stores. As with any set of best practices, efforts are constantly underway to address new areas of vulnerability as they arise. Some experts suggest the card data should be encrypted as soon as the cards are swiped, helping to avoid similar incidents in the future.

What can we learn from this?

First, PCI is a framework of best practices; it is NOT an iron clad guarantee of stopping data breaches. If your business has passed a PCI audit, congratulations, you have locked your doors and windows! But remember, you are not impervious to attack.

Second, compliance is a continuous effort. A PCI certification of compliance says you are in compliant on a specific day. Thinking you're done with compliance until the next audit is not a plan. You have to build compliance into the daily and weekly tasks of your employees. They need to continue with the efforts it took to become compliant:

• Continuously test and install software patches.




• Continuously update your anti-virus software.




• Continuously run and verify your anti-virus scans.




• Continuously check your firewall logs for possible intrusion vectors.

The PCI Standard is a great start; the key is integrating its security measures into your regular business processes "" because unlike with your Jell-O, there's no money-back guarantee when it comes to PCI compliance.