The Target data breach and other recent breaches show us today’s reality is a harsh one, and one that industry and the country can no longer avoid, as we have entered a whole new era of opportunity for hackers.

Criminals after payment card data are advanced and persistent in their attacks and we have to be just as advanced and persistent in our defenses, relying not just on one layer of protections but many. No longer do we have the luxury of assuming our efforts are good enough, or that security just falls into one part of the business. This new frontier requires a cultural shift that builds security awareness and responsibility into every single job description across an organization – an approach that anticipates the breakdown of every defense you’ve put up and then has a backup plan for mitigating when attacks do happen.

With ‘password’ unbelievably still the most common password used and the recently released 2014 Verizon PCI Compliance Report detailing that more than 80 percent of breaches of confidential consumer information in 2012 involved compromised passwords, it’s clear that we can do a much better job protecting our consumer data. Businesses and consumers alike have a significant role in making this happen and government can play a constructive role as well.  The PCI Security Standards Council believes that government should focus on streamlining data breach notification laws, improve public-private collaboration, encourage information sharing and provide more resources for law enforcement activities. 

The recent rash of large scale data breaches have brought a number of us in the industry to testify before Congress in order to talk about what the problem is and how we can fix it. The future of data security is of utmost importance for consumers and America's business community.  Few issues before Congress are of greater importance than how we prevent large scale data security breaches of personal information. 

When we talk about the future of data security, it's critical to look at the current trends and best practices in order to serve as a good housekeeping guide for the future.  The 2014 Verizon report has indicated that PCI compliance is a key factor to data security, in fact, in terms of PCI compliance, the results showed overall a 25 percent increase from 2012 in the number of organizations that were nearly meeting all PCI requirements with their security programs. And its findings reiterated what we’ve seen in similar reports over the years – those organizations with security controls in place as part of complying with PCI Standards improve their chances, both of avoiding a breach in the first place, and of minimizing the resulting damage if they are breached.

While recent high profile breach incidents have captured the nation's attention in the past few months, we can’t overlook the significant progress that has been made over the past seven years in securing payment card data, through a collaborative cross-industry approach. As pointed out recently by a data security industry expert, “We only hear about the successful attacks. We do not hear about all of the attacks that are prevented by the security implemented through conformance to [PCI Data Security Standard] PCI DSS.”

While the PCI Security Standards have protected millions of payment card customers over the years, it is critical for policy makers to recognize there’s no single solution that addresses all security challenges.  The fact is, security requires a daily coordinated focus on people, process and technology. The PCI Security Standards, which encourage a multi-layered approach to data security, along with technology innovations and greater law enforcement efforts represent the future in this ongoing battle to protect consumers'confidential information from the bad guys.

Russo is general manager for the PCI Security Standards Council.