No silver bullet for PCI compliance
Taking stock of PCI five years on
In 2010, the PCI Security Standards Council released new versions of the three standards we manage: the Payment Card Industry Data Security Standard (PCI DSS), PIN Transaction Security (PTS) requirements and the Payment Application Data Security Standard (PA DSS). We also kicked off our new three-year lifecycle for the future development of these standards. All around the world, organizations are moving toward the adoption of the updated standards so that they can begin 2012 with assessments against the newest iterations. As evidence of the maturity of these security standards, the vast majority of the enhancements were focused on providing further clarification on the application of existing requirements. As we enter this critical implementation phase of our security journey, there are a few items I'd like you to keep in mind:
Technology is just a part of the solution. We live in an exciting time of innovation and continually evolving technologies. For the payment security world cardholder this means increasing focus on the promise of technologies (like encryption and tokenization) designed to help reduce the card data environment (CDE) within an organization and help control where the data resides.The council recognizes the potential of these technologies for simplifying the process of PCI DSS compliance for organizations and understands the market appetite for information on how to take advantage of them.
It is important to remember, however, that there is no silver bullet when it comes to security. Addressing and developing both people and processes, in addition to technology, is critical to a security strategy that is not just successful but maintainable.
People and processes continue to be the key to implementing a strong security strategy.
Technology can only go so far to protect you, but having these other two elements in place will go a long way in helping you stay secure.
Regardless of the types of technologies you have put in place, you can't ignore one critical aspect of this process: If you don't need the data – don't store it.Consider the benefits of two processes highlighted in the recent changes to the DSS 2.0 – scoping and logging. The clarifications around scoping reinforce the need for a process that identifies and documents all locations and flows of cardholder data to ensure accurate scoping of the CDE. This process helps you better understand where the data resides, allowing you to protect that segment more effectively.
We hope you will support the PCI Security Standards Council by sharing feedback about your company's implementation journey. Visit the website at www.pcisecuritystandards.org.
»Don't need it, toss it
PCI compliant technologies can store and properly protect certain data, such as the primary account number (PAN), but if you don't have a business use for this data – get rid of it.
»Facilitating the process
The council provides education for all stakeholders across the payment chain. We have expanded that arm to facilitate the process of compliance and securing payment card data.
»Call for input
Participate in the process by offering feedback, join us in training sessions to become better educated on the standards and get in touch with us along the way with comments.
»Visit the website
The revamped council website – with a centralized documents library – makes it simpler to find what you're looking for and is presented in a language you can easily understand.