Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    PCI SCC Turns 10: A Look at Its Strengths and Weaknesses

    By
    Chris Preimesberger
    -
    September 1, 2016
    Share
    Facebook
    Twitter
    Linkedin

      PrevNext

      1PCI DSS Turns 10: A Look at Its Strengths and Weaknesses

      1 - PCI DSS Turns 10: A Look at Its Strengths and Weaknesses

      Ten years have passed since the implementation of PCI DSS, designed to bolster security of payment cards. How effective is it?

      2Positive: Sets a High Bar

      2 - Positive: Sets a High Bar

      For an industry to assess how well it’s doing, there needs to be an objective standard against which to make that judgment. The PCI DSS has set that bar.

      3Positive: Establishes a Strong Starting Point

      3 - Positive: Establishes a Strong Starting Point

      The PCI DSS has served as an effective starting point for many organizations that are looking for a baseline to protect their customers’ payment card information. The process of identifying where payment card data lives, targeting vulnerabilities that could enable a compromise, remediating those vulnerabilities and reporting to acquiring banks and card brands is a fundamental aspect of a strong information security program.

      4A Plus and a Challenge: Constant Updates Need Constant Attention

      4 - A Plus and a Challenge: Constant Updates Need Constant Attention

      The PCI SSC constantly updates the PCI DSS so organizations can stay ahead of the latest threats and better protect their customers’ payment card data, even as their business environment becomes more complex. Since 2006, when the first version of the PCI DSS was released, the PCI SSC has updated it seven times. The constant change is necessary to keep up with the evolving technical and business environment; however, it also can pose a significant challenge, especially to smaller merchants who are struggling to keep up.

      5Positive: Quarterly Vulnerability Scans Are Important

      5 - Positive: Quarterly Vulnerability Scans Are Important

      The PCI DSS mandates that organizations perform quarterly vulnerability scans and report their remediation results to auditors. The scans are in addition to the comprehensive annual PCI DSS assessments. With or without these requirements, organizations should follow best practices on a continuous basis. For those that do not, at least customers are ensured that a minimal amount of attention is being paid to identify and remediate vulnerabilities a few times a year.

      6Positive: Checks In on Weak Links

      6 - Positive: Checks In on Weak Links

      The latest version of the PCI DSS, PCI DSS 3.2, adds a requirement for third-party service providers—which, as demonstrated by the rash of high-profile breaches during the past few years, continue to be a weak link for information security. PCI DSS 3.2 mandates that service providers perform quarterly reviews to ensure personnel are following security policies and operational procedures. Providers are also required to perform penetration testing on segmentation controls at least every six months.

      7Challenge: Often Seen as ‘Check-the-Box’ Routine

      7 - Challenge: Often Seen as 'Check-the-Box' Routine

      Too many organizations still approach PCI DSS compliance with a check-the-box mentality, often going through the motions to meet the requirements and not practicing good cyber-security hygiene overall. Organizations need to approach cyber-security from a risk-based point of view, making cyber-risk management a continuous priority as they do all other operational risks.

      8Challenge: It’s Hard for Large Organizations to Stay Ahead of the Curve

      8 - Challenge: It's Hard for Large Organizations to Stay Ahead of the Curve

      Large organizations with distributed legacy environments (such as multiple generations of point-of-sale systems located in hundreds of stores, running on proprietary terminals) struggle to maintain compliance with the ever-evolving PCI DSS. When the standard is updated, organizations scramble to make sure their technologies and security controls are also updated to comply, which is a tricky task when the environment is distributed globally. If organizations implement strong cyber-security protections from the get-go, then they can stay ahead of the curve of PCI DSS compliance.

      9Challenge: Automation Must Replace Manual Process

      9 - Challenge: Automation Must Replace Manual Process

      For many organizations, reporting on compliance quarterly and annually is a time-consuming, manual task that involves extracting data into spreadsheets that are stitched together to present to auditors. Manually compiling cyber-risk information into various spreadsheets is a daunting, distracting, resource-intensive effort that forces security teams to take their eyes off the ball of protection. Cyber-risk reporting must be automated, not only for PCI DSS auditors but, more importantly, so that security executives, line-of-business application owners and boards of directors understand how well they are protecting their crown jewels.

      10Challenge: Errors, Bias Inevitably Get Into the Process

      10 - Challenge: Errors, Bias Inevitably Get Into the Process

      In addition to the effort and distraction of manually compiling PCI DSS compliance reporting, inevitably, errors and bias will creep into the data. In some cases, organizations run out of time to collect the data and, therefore, use outdated information from past reports. If organizations adopt automation for collecting, analyzing and reporting cyber-risk information, then all stakeholders will be working off the same set of data.

      11Challenge: Intra-Enterprise Process Coordination Necessary

      11 - Challenge: Intra-Enterprise Process Coordination Necessary

      The PCI-DSS compliance process requires coordination between compliance, security, IT and line-of-business application owners. Often, the dance between these many parties is broken, resulting in firefighting and last-minute reactive activity. To stay ahead of the game, line-of-business application owners should be made an integral part of protecting the applications and data that they own, and not just a peripheral sign-off along the way.

      PrevNext
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×