PCI DSS v1.1 - it’s great isn’t it?

If your business is involved with taking credit card payments then you will be familiar with PCI DSS ( if not, where have you been? ). Now, much has been written about the Standard and whether it has worked, whether it is a good thing and whether it is worth the hassle to be compliant. Having worked with it for more than six years, I thought I would offer my perspective.

Before that, a little bit of history for you: PCI DSS is now more than 10 years old and version 3.2 will be released shortly. It should always be remembered that it is an industry standard (not a legal requirement), created by the major card issuers to protect their brands and payments. This in itself is no bad thing. After all, before PCI, there was no effective regulation or control of how payments were handled or card holder data managed. From this perspective it should be considered a major success.

However, it is not without its faults or detractors. Many of the perceived failings of PCI DSS I believe come from an unrealistic position. That is compliance with the Standard will make you ‘hack proof’ and that it represents security best practice. Neither is true. Theoretically, compliance to PCI DSS should be relatively straight forward if you are following security best practice across your entire business. The old saying that ‘compliance does not equal security’ is never truer than when applied to PCI compliance.

When approaching PCI compliance consider the following:

  • Risk management. Start with the last requirement (no. 12) and implement an effective risk management strategy. This will have enormous benefits beyond the limited boundaries of PCI compliance. Get this part right and everything related to PCI compliance will be easier.
  • Technical requirements. PCI is more than just a technical standard. You should be involving all departments and not just IT. Make sure your business understands what you are doing and gain executive management support to ensure that it is enforced.
  • By necessity, the PCI standard has been written to encompass merchants and service providers of all sizes. The remit means that many of the statements and requirements are open to interpretation. A good, experienced QSA will guide you through the areas of concern and be able to advise on the right course of action.
  • Understand from the outset that PCI will not make you 100% secure (indeed there are huge sections devoted to event logging and the collection of data, all of which will be used in a post-breach investigation). But it can certainly help you eliminate the most obvious security weaknesses and consequently make you less of a target.
  • Minimum standard. Consider that the requirements of PCI are generally regarded as fairly standard within the IT security industry, if you are struggling to gain compliance, ask yourself why and look at IT security across your organisation and not just with regards to credit card payments.
  • Silver bullets. Beware of any consultant, vendor or QSA that tries to sell you a specific product to achieve compliance. It does not exist and is not required.

I hope that the Standard continues to adapt and evolve. It may not be perfect in every way, but it is still the best we have.

pci dss certified consulting services

Did you enjoy this blog article? Share it with your friends or comment below.
 
.

About CIPHER

Founded in 2000, CIPHER is a global cybersecurity company that delivers highly accredited Managed Security Services and Security Consulting Services with ISO 20000 and ISO 27001, SOC I and SOC II, PCI QSA and PCI ASV certifications. We have received many awards including Best MSSP from Frost & Sullivan for the past five years. These services are supported by the best in class security intelligence lab: CIPHER Intelligence. Our offices are located in North America, Europe, and Latin America with 24×7×365 Security Operations Centers and R&D laboratories, complemented by strategic partners around the globe. 

Our clients consist of Fortune 500 companies, world-renowned enterprises, and government agencies with countless success stories. CIPHER provides organizations with proprietary technologies and specialized services to defend against advanced threats while managing risk and ensuring compliance through innovative solutions. 

Subscribe to the Blog

Maeasure Your Information Security Maturity Self-Assessment Survey

Recent Security Posts

security consulting services

@ciphersec