PCI SCC Turns 10: A Look at Its Strengths and Weaknesses

 
 
By Chris Preimesberger  |  Posted 2016-09-01
 
 
 
 
 
 
 
 
 
  • Previous
    1 - PCI DSS Turns 10: A Look at Its Strengths and Weaknesses
    Next

    PCI DSS Turns 10: A Look at Its Strengths and Weaknesses

    Ten years have passed since the implementation of PCI DSS, designed to bolster security of payment cards. How effective is it?
  • Previous
    2 - Positive: Sets a High Bar
    Next

    Positive: Sets a High Bar

    For an industry to assess how well it's doing, there needs to be an objective standard against which to make that judgment. The PCI DSS has set that bar.
  • Previous
    3 - Positive: Establishes a Strong Starting Point
    Next

    Positive: Establishes a Strong Starting Point

    The PCI DSS has served as an effective starting point for many organizations that are looking for a baseline to protect their customers' payment card information. The process of identifying where payment card data lives, targeting vulnerabilities that could enable a compromise, remediating those vulnerabilities and reporting to acquiring banks and card brands is a fundamental aspect of a strong information security program.
  • Previous
    4 - A Plus and a Challenge: Constant Updates Need Constant Attention
    Next

    A Plus and a Challenge: Constant Updates Need Constant Attention

    The PCI SSC constantly updates the PCI DSS so organizations can stay ahead of the latest threats and better protect their customers' payment card data, even as their business environment becomes more complex. Since 2006, when the first version of the PCI DSS was released, the PCI SSC has updated it seven times. The constant change is necessary to keep up with the evolving technical and business environment; however, it also can pose a significant challenge, especially to smaller merchants who are struggling to keep up.
  • Previous
    5 - Positive: Quarterly Vulnerability Scans Are Important
    Next

    Positive: Quarterly Vulnerability Scans Are Important

    The PCI DSS mandates that organizations perform quarterly vulnerability scans and report their remediation results to auditors. The scans are in addition to the comprehensive annual PCI DSS assessments. With or without these requirements, organizations should follow best practices on a continuous basis. For those that do not, at least customers are ensured that a minimal amount of attention is being paid to identify and remediate vulnerabilities a few times a year.
  • Previous
    6 - Positive: Checks In on Weak Links
    Next

    Positive: Checks In on Weak Links

    The latest version of the PCI DSS, PCI DSS 3.2, adds a requirement for third-party service providers—which, as demonstrated by the rash of high-profile breaches during the past few years, continue to be a weak link for information security. PCI DSS 3.2 mandates that service providers perform quarterly reviews to ensure personnel are following security policies and operational procedures. Providers are also required to perform penetration testing on segmentation controls at least every six months.
  • Previous
    7 - Challenge: Often Seen as 'Check-the-Box' Routine
    Next

    Challenge: Often Seen as 'Check-the-Box' Routine

    Too many organizations still approach PCI DSS compliance with a check-the-box mentality, often going through the motions to meet the requirements and not practicing good cyber-security hygiene overall. Organizations need to approach cyber-security from a risk-based point of view, making cyber-risk management a continuous priority as they do all other operational risks.
  • Previous
    8 - Challenge: It's Hard for Large Organizations to Stay Ahead of the Curve
    Next

    Challenge: It's Hard for Large Organizations to Stay Ahead of the Curve

    Large organizations with distributed legacy environments (such as multiple generations of point-of-sale systems located in hundreds of stores, running on proprietary terminals) struggle to maintain compliance with the ever-evolving PCI DSS. When the standard is updated, organizations scramble to make sure their technologies and security controls are also updated to comply, which is a tricky task when the environment is distributed globally. If organizations implement strong cyber-security protections from the get-go, then they can stay ahead of the curve of PCI DSS compliance.
  • Previous
    9 - Challenge: Automation Must Replace Manual Process
    Next

    Challenge: Automation Must Replace Manual Process

    For many organizations, reporting on compliance quarterly and annually is a time-consuming, manual task that involves extracting data into spreadsheets that are stitched together to present to auditors. Manually compiling cyber-risk information into various spreadsheets is a daunting, distracting, resource-intensive effort that forces security teams to take their eyes off the ball of protection. Cyber-risk reporting must be automated, not only for PCI DSS auditors but, more importantly, so that security executives, line-of-business application owners and boards of directors understand how well they are protecting their crown jewels.
  • Previous
    10 - Challenge: Errors, Bias Inevitably Get Into the Process
    Next

    Challenge: Errors, Bias Inevitably Get Into the Process

    In addition to the effort and distraction of manually compiling PCI DSS compliance reporting, inevitably, errors and bias will creep into the data. In some cases, organizations run out of time to collect the data and, therefore, use outdated information from past reports. If organizations adopt automation for collecting, analyzing and reporting cyber-risk information, then all stakeholders will be working off the same set of data.
  • Previous
    11 - Challenge: Intra-Enterprise Process Coordination Necessary
    Next

    Challenge: Intra-Enterprise Process Coordination Necessary

    The PCI-DSS compliance process requires coordination between compliance, security, IT and line-of-business application owners. Often, the dance between these many parties is broken, resulting in firefighting and last-minute reactive activity. To stay ahead of the game, line-of-business application owners should be made an integral part of protecting the applications and data that they own, and not just a peripheral sign-off along the way.
 

September 2016 marks the 10-year anniversary of the Payment Card Industry Security Standards Council, a group created by the major card brands to strengthen the protection of payment card information. The PCI SSC manages the Payment Card Industry Data Security Standard, a requirement for any organization that stores, processes or transmits payment card information. The PCI SSC continuously develops and updates the PCI DSS based on the most current threats and increasing complexities in organizations' environments. In light of the PCI SSC's milestone anniversary, we thought it would be informative to reflect on the positives and problems surrounding the standard. No standard gets through industry scrutiny unscathed; in fact, standards nearly always lag behind innovation. PCI DSS, however, is a rare standard that is ahead of the curve. In this eWEEK slide show, using industry information from Bay Dynamics Vice President of Program Management Steven Grossman, we talk about the impact of these standards.

 
 
 
 
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
Rocket Fuel