In Internet years, 2007 seems like a long time ago. But some things have not changed. That was when a data breach at Heartland Payments Systems left more than 100 million credit card accounts compromised.
Heartland management assumed that they had done the right thing. After all, they were PCI compliant, weren't they? An outside audit showed them in conformance with Payment Card Industry Data Security Standards (PCI DSS). So they had to be secure.
In practice, as it turned out, not so much. And while 2007 may seem like ancient history, this sort of rude-awakening history is repeating itself. Just last January, retailer Zappos had to tell its customers that it had been hacked, this time compromising "merely" 24 million customer accounts. And Zappos was also PCI compliant.
PCI compliance, it seems, is not enough. It is not that there is anything wrong with the PCI DSS. It is a valid set of reference standards. And passing an audit is a good way to ensure that, at a given moment, things have been set up right.
Passing an audit, however, is only the beginning. It is equivalent to an airplane passing an FAA inspection: At that moment it is airworthy and safe to fly. But it will only remains airworthy if supported by constant maintenance, in accordance with established technical standards.
Likewise a company's payment system network only remains safe and secure if ongoing security efforts are applied, following well established best practices. And these best practices are well established. Good security is not mysterious, and providing it takes no magic. But it does take ongoing effort.