PCI DSS version 3.0
PCI DSS version 3 will be with us soon. Such is the anticipation that the PCI Security Standards Council has released a preview of the “Highlights of Change” document.
The highlights of the updated Data Security Standard include a one-finger statement that may be directed at you if you are a merchant or acquiring bank.
“Cardholder data remains a target for criminals. Lack of education and awareness about payment security and poor implementation and maintenance of PCI Standards cause many of the security breaches that occur today.”
In other words, a big part of the impetus for the new version of the standard is to give it new impetus. The fact that PCI DSS is not new does not make it any less relevant today.
But what is the benefit of PCI DSS for us?
To understand how relevant cardholder data protection is, the hard facts are outlined in Nilson’s recent report. Their findings are that global card fraud losses have now exceeded $ 11 billion. It’s not all bad news if you’re a card brand or issuing bank – the losses are made a bit more bearable by the fact that total transactions now exceed $ 21 TRILLION.
http://www.nilsonreport.com/publication_the_current_issue.php?1=1
“Card issuer losses occur primarily at the point of sale from counterfeit cards. Issuers bear the fraud loss if they authorize merchants to accept payment. Merchant and acquirer losses occur primarily in transactions with card absent (CNP) on the web, at a call center, or by mail order “
That is why PCI DSS exists and should be taken seriously with all requirements fully implemented and practiced on a daily basis. Card fraud is a very real problem, and like most crimes, if you think it won’t happen to you, think again. Ignorance, complacency, and corner clipping remain the top contributors to card data theft.
The changes are very much in line with the NNT methodology of continuous and real-time security validation for all scoped systems: the PCI SSC states that the changes in version 3 of the standard include “The recommendations are focused on helping the organizations to take a proactive approach to protecting cardholder data that focuses on security, not compliance, and makes PCI DSS a common practice “
So instead of this being an exercise of ‘Once a year, do some scans, patch everything, get a report from a QSA and then relax for another 11 months’, the PCI SSC is trying to educate and encourage the merchants and banks to integrate or enforce security best practices within their day-to-day operations and comply with PCI as a natural consequence of this.
Continuous FIM: the foundation of PCI compliance
In fact, having an ongoing FIM approach as a starting point for security and PCI compliance makes perfect sense. Setup doesn’t take long, it will only tell you if you need to take action when needed, help you define a reinforced construction standard for your systems, and push you to adopt the discipline needed for change. control, plus it will give you complete peace of mind that systems are being actively protected at all times, 100% in accordance with PCI DSS requirements.