PCI DSS 3.0 is good, but not good enough
Ed Fox, vice president of network services, MetTel
Security – the topic of the year. With every new information leak (and there were a lot in 2014), end users are looking for ways to better protect themselves and keep their personal financial identity safe from hackers. What's the latest initiative to help the cause? PCI Data Security Standards (DSS) 3.0 compliance, a standard started by Visa in 1999 to combat the $750 million in credit card fraud losses seen by Visa and MasterCard between 1988 and 1998.
A PCI timeline and what businesses need to know in 2015
Since its inception, PCI DSS has been updated and revised several times to keep up with technological changes in the industry. Visa set the first standards (PCI DSS 1.0), providing those in the payment-processing lifecycle with a set of mandatory requirements that would provide transactional security. The standards ensured that merchants met a minimum level of security for storing, processing and transmitting cardholder data. By October of 2010, changes in technology and increased fraudulent activity birthed the next version of the standards, PCI DSS 2.0. In a 2010 report by Verizon, it was clear that companies struggled to meet the standards already in place. Now in the first stage of PCI DSS 3.0, we are seeing vendors scramble to reach and maintain compliance.
There are twelve broad requirements for compliance, split into six groups called “control objectives.” With each updated version of PCI compliance, new sub-divisions have been added, but the twelve main requirements do not change. The compliance difficulty of the requirements varies, from easy to quite difficult.
On June 30, 2015, PCI DSS 3.0 will be mandatory for all businesses, but the most recent Verizon 2014 PCI Compliance Report shows that only 11 percent of merchants were fully compliant between annual audits.
Does PCI compliance = safety?
2015 will be the year that consumers take their identity protection into their own hands, after watching one too many retailers face a security breach as a result of unprotected and unsecure transactions. Any retailers who are not compliant will face consequences both from customers and regulators.
Given the looming compliance deadline, security is a top agenda item for most retail executives. Although achieving PCI compliance is necessary, companies will soon come to realize that it isn't enough. The previous version of PCI requirements were a list of suggestions open to interpretation, whereas the new set of standards in PCI 3.0 include more detailed specifications. However, the question remains to whether or not the latest regulations will be enough to keep information security safe.
Protecting customers' information requires an integrated effort from the merchant. Here are a few ways businesses can keep their customers' information secure:
- Monitor every step of the process.
While this does require additional log time, live persons monitoring for attacks ensures that any threats and breaches are dealt with before they become a major problem.
- Maintain your System Logs.
Hot searchable system logs from all IT and networking systems should be available for monitoring by several analytics engines. These logs should be held in memory for 12 months to allow analytics engines to properly search for anomalies year over year, month over month or day over day. This allows greater insight into the CDE (Cardholder Data Environment) and can provide answers should anomalies be found.
- Keep “security information management” (SIM) top of mind.
The idea behind collecting, monitoring and analyzing security-related data is a huge part of keeping customers' information safe. Deal with the people aspect and social media aspect of corporate digital security first, as most penetrations begin with an end user getting tricked or being lazy!
Put your business and your customers first
While it might not be coming from the mouths of customers shopping at Target or Home Depot, it will certainly be a factor in how businesses structure their information security programs. Whether your business is a nationwide retail chain or a small boutique, it's important to put your customers (and their identities) first. The negative impact of being breached may or may not have significant impact on future sales but there is no doubt it has major financial implications.
PCI DSS 3.0 compliance is only one step of securing these identities and your environment. Ensure your business interprets the standards in a very cautious and security-minded manner that requires the strongest relationships and partnerships with customers.