It seems like such a short time ago that we formed the PCI Security Standards Council and embarked on our goal to improve payment security through increased awareness and adoption of the PCI Data Security Standard (DSS). One year later, and we have many compelling metrics and additional anecdotal evidence to document the largest annual increase in those proactively securing their organizations and acting on the best practices for payment data security laid out in the DSS.
For example, in the last year: more than 350 organizations have joined the Council as Participating Organizations; the Council successfully integrated management, global training and certification programs for qualified security assessors (QSAs) and approved scanning vendors (ASVs); the Council has taken on management of the Pin Entry Device (PED) and Payment Applications Data Security Standard PA-DSS standards; we assembled more than 300 security professionals at the first global PCI Community Meeting in Toronto in September.
But with major data breaches driving news coverage in the last year and information on their impact unfolding daily, are organizations really getting it? From the Council's perspective, in the last year, we have definitely seen a shift in thinking from those we meet with. Initially, after the introduction of version 1.1 of the DSS, we heard a lot of “Why do we have to do this?” One year later, and the question has shifted to “How do we do this?”
Trust me, if your organization suffers a breach, fines for noncompliance will be the least of your concerns.
While it hasn't begun in full yet, in the next year, consumers are going to continue to monitor news of breach incidents from those not in compliance, and eventually they will reach a boiling point. The brand damage will inevitably grow more and more pronounced and consumers will begin to shun the affected companies.
So what is next for payment data security?
We hope to gain additional success through acquirer outreach, transfer of the PA-DSS standard to the Council, and the roll-out of a streamlined Self Assessment Questionnaire (SAQ).
We also hope to raise the awareness and increase adoption of the DSS among smaller merchants in the next year.
In addition, we have a tremendous opportunity to leverage the expertise and enthusiasm of our global Participating Organizations to continue to update our data security standards to better address emerging threats and better reflect what's going on in the current marketplace.
Here's to 2008, it's going to be a great — and hopefully a more secure — year.
30 SECONDS ON...
Do the right thing
There will come a time soon where sales and offers of credit monitoring are not going to cut it with consumers, says Seana Pitt. We all have a duty to improve data security. It's not only a responsibility, it is the right thing to do.
Recent survey results indicate that 77 percent of consumers mistakenly believe identity
fraud is increasing, says Pitt, with 63 percent citing merchants as least secure in protecting account information.
A change is coming
She points out that three out of four consumers surveyed are unlikely to continue shopping at a merchant where a data breach occurs. “You need to become more secure for your clients, not just for contractual obligations,” she adds.
A look back at 2007
Pitt says that for 2007, she will remember the people she has met, the relationships that have been established and the discussions that have begun and will continue to drive increased customer security.
From the CSO's desk: In with more PCI compliance in 2008
From the - December 2007 Issue of SCMagazine »