PCI can be a real InfoSec
wake up call, as in merely attempting to comply with the many PCI DSS
requirements, it can provide benefits across the business, where before the business were previously completely unaware of
the risks, or perhaps hadn't being treating risks with the proper regard. Forcing them into action to meet the specific PCI requirements, often results in security improvements across the entire business, so not just tightening the security of credit card data in their possession, but personal and confidential information as well.
Love it, Or Hate, PCI does business good
The truth of PCI DSS is most of its laid out 260 odd individual requirements,
which set the minimum baseline for PCI compliance, are just best industry
information security practices anyway. So businesses are supposed to be doing
the lion share of them already. What PCI DSS does in the small to medium
business environment (when taken seriously), it forces businesses to take note and ultimately implement these best practices, and in most cases applying security improvements holistically across the business. For instance measures such as establishing a good patch
management process, Anti-Virus deployment and information security policies are
applied and benefit the entire business, not just within the cardholder
environment, so the business ends up killing many data protection birds with one stone.
Today 90% of the card fraud in the UK occurs within level 4 merchants (the
smallest of businesses), specifically due to web application vulnerabilities, vulnerabilities
which have been around for over 10 years. Yet if these businesses were PCI DSS
compliant, it would be fair to say the majority of these breaches just wouldn't occur This statistic is actually testament to the success of PCI DSS in
medium to small businesses, in that larger companies (level 1 to 3), have been
chased and forced to address compliance with PCI DSS by acquiring banks, opposed to the highly breached small businesses which have yet to be vigorously chased for compliance, but given the
latest fraud stats, they soon can expect to be chased for compliance.
I am not saying PCI DSS is perfect, lord knows it isn't, and I do understand
the arguments made by infosec leaders working within larger enterprises, which already focus on information security
as a business service priority. But I find it very hard to argue that PCI DSS
is not helping medium to small businesses not only protect cardholder data, but
to improve their general information security, even if they aren't strictly fully compliant with the standard. As in trying to comply and to meet most of the PCI
DSS requirements, it seriously reduces their breach risks, not just of
cardholder data, but with the personal data they hold as well.
One final point I want to be crystal clear on, a business cannot be considered PCI DSS compliant if they are not meeting all of the PCI DSS requirements, not just on the date of PCI assessment, but for 365 days a year ,7 days a week, 24 hours a day. The QSA's successful Report on Compliance will not save a business from fines, if a breach were to occur due to the business not meeting just a single compliance requirement. How many businesses are truly compliant in this way is up for debate.
7X24 impllies 265. I do not believe most QSA's assess for sustainability processes and procedures (and their artifacts)when performing ROCs. May be a gap. Example: If the merchant cannot product the wekly reports for file integrity (there should be 52 on file for 1 year retention?) and point to change controls to remediate issues found then fail???
ReplyDeleteReally cool post! Thanks a lot for sharing.
ReplyDeletePCI DSS is worth to comply to. E-commerce sites such as banking all use the model for their services.
ReplyDeletelAwesome post. People definitely need to be more informed about this and realize how many people are affected by it.According to creditcard.com "The number of U.S. identity fraud victims rose 12 percent to 11.1 million adults last year, the highest level since the survey began in 2003." This is a very serious issue, and companies need to step up provide better protection of customers sensitive information. PCI DSS is a solution to this HUGE problem, and it's really not that expensive to implement. I did that with my online business and I feel much safer now.
ReplyDelete