Over the past few years, adoption of and compliance with PCI standards has made it more challenging for criminals to steal large volumes of credit card data. Some of the improvements in the evolution of the standards, like log monitoring and other steps – a result of industry feedback and involvement in standards development – have increased the likelihood that an organization can identify anomalies indicative of breaches, and hopefully stop them before the criminals abscond with payment data.
So, where do we take it from here? Our mission at the council remains the same: protecting cardholder data must be at the center of our efforts. The PCI standards offer the best protection of payment card data across all payment channels. We must continue to increase awareness, and provide the education and resources for security and business professionals alike to secure their organizations' data.
At the council, we are going to apply continued focus on understanding technologies that offer Payment Card Industry Data Security Standard (PCI DSS) scope reduction for merchants, including point-to-point encryption (P2PE) and tokenization. While there's no silver bullet, we believe that through these technologies we can make it simpler, faster and more efficient for smaller merchants to adopt the PCI standards.
We will continue to engage all PCI stakeholders with new opportunities for participation, and provide a dedicated period for collecting and sharing feedback. This, in turn, will not only result in additional supplementary guidance, but also in strong revisions to the next iteration of the PCI standards, to be released in 2013. We believe that through this feedback loop we are gathering the input of the widest collection of payment and security experts around the world in an effort to reduce payment card fraud.
Since people and processes are a critical part of a successful security mix, the council is expanding the current Payment Card Industry Security Standards Council training offerings to continue to increase payment card security expertise.
Additionally, we've incorporated awareness training so that all can better understand what PCI is about and how it applies to their role in protecting payment card data. But we need your feedback to help us grow our knowledge base, keep up with and mitigate the latest attacks, and adopt the newest technologies safely and securely. I used to have a boss that periodically asked me a particular question, which I now turn to you to share: “What have you done for payment security lately?”
»Keep on pushing
We have to keep pushing adoption of PCI DSS across the payment chain, and encourage further adoption among smaller merchants and franchise organizations, says Mitchell.
»All must get involved
When he says “we,” he means all possible parties along the payment chain – acquiring banks, technology vendors, security assessors, merchants and industry associations.
»Obliterate old exploits
Further, he says, efforts must be doubled so threats don't continue to move down the chain, leaving mom-and-pop shops an easy target for an antiquated exploit.