The standard for online merchant security is PCI DSS or payment card industry data security standard. The Washington Post reports there is a rekindled debate as to whether this standard is relevant because there have been recent data breaches on sites with newly acquired PCI certificates. To chime in on this debate I think the answer is obvious and there really isn't much to ‘debate' about.

PCI compliance or any other standard out there is playing a catch up game. Hackers innovate and PCI DSS will then try to update. PCI compliance is better than nothing, but they play the game which hackers love; a never ending cycle of one-upsmanship. "The premise behind PCI -- that millions of retail establishments will systematically keep pace with the ever-evolving sophistication of today's professional hacker -- is just not realistic," said David Hogan, senior vice president and chief information officer for the National Retail Federation.

Trustwave investigated breaches in which hackers had been ‘inside' the system for weeks or even months. This allowed the hackers to create custom tools to hack not only the stored information on the network, but the victim's computers as well. It was easy for hackers to get around PCI data storage protections.

Once the hacker gains access to a network or computer they install malware to collect data, usually credit card numbers. Verizon business reports the most common types are spyware and keyloggers.

Bryan Sartin, vice president of investigations at Verizon Business says "the most important protection businesses can have in place is the ability to detect breaches quickly after they happen."

After they happen? Again, we are talking about reactive technology, not proactive. How about preventative measures? How about focusing on endpoint security? People are asking the wrong questions, no wonder they aren't coming up with the right solutions.