PCI DSS turns ten years old this year but despite the regulation existing for a decade and the recent DSS version 3.0 changes becoming effective, worryingly Verizon’s latest report suggests that organisations are not only slow in updating, but are also approaching compliance in the wrong way. And my experience on the ground leads to me concur.
With the third revision of the PCI Data Security Standard having now been introduced, this refinement and clarification – rather than a new technique or technology – should further protect organisations against card data theft, but with losses through card fraud still on the increase, it is clear that something has to change.
Any organisation that is sceptical of the advent of Version 3 of the PCI DSS and not taking action need only look at the ongoing and often high profile security breaches such as the recent Target breach to understand that action must be taken. The latest Nilson Report figures further highlight the scale of the issue showing global card losses in 2012 reached $11.27 billion, up 14.6% over the prior year – so why aren’t organisations ensuring both card payment data is safeguarded?
The Verizon report found that compliance numbers remain in double digits, at least when judged against the 12 requirements, as well as highlighting that less compliant organisations are more likely to be breached. So why aren’t organisations compliant? Ignorance, complacency and corner-cutting are still the major contributors to card data theft and this must stop.
I fully support the PCI SSC’s objectives of educating and encouraging merchants to embed security best practices within their everyday operations. PCI DSS requirements need to be taken seriously, implemented in full, and practised daily. Securing the perimeter via AV and firewalling is never going to be ‘secure enough’, but by running continuous file integrity monitoring, card handling systems can be properly hardened against breaches and protected against card-data-stealing malware.
In adopting a methodology and culture of continuous real-time security validation, the operation of security best practices will become straightforward, inexpensive, something that merchants of any size can take in their stride, and critically give full peace of mind that systems are being actively protected at all times, 100% in line with PCI DSS requirements.
Mark Kedgley, CTO, New Net Technologies
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.