PCI 3.0 Spells More Risk Management for Midsize Business
The PCI DSS standards have been around for more than a few years now and right or wrong they have found their way into the day to day business functions of most business that accept credit cards or those that service merchants who do. Many in the security industry have lamented that PCI has wrought a culture of “checkbox” security where merchants and others in the PCI ecosystem seek a lowest common denominator level of security. For years the PCI Council has been seeking to raise the minimum levels of earlier PCI data security standards by introducing more a Risk Management approach to PCI.
The latest draft of the PCI DSS, version 3.0 is due out shortly. Due to the elongated implementation cycles adopted a while back, this newest version won’t be in effect until January of 2014 and won’t be fully in effect until June of 2014.
While smaller merchants may not see many changes in the day to day management of PCI, midsize organizations should see PCI merge with their existing security and risk management processes and policies. For instance the requirement for Penetration Testing should not be a new exercise for most midsize companies.
Overall the trend behind PCI 3.0 is more towards a holistic risk management approach. Understanding vulnerabilities, prioritizing them in light of the business and remediation were all introduced in PCI 2.0 and expanded upon in 3.0.
Moving away from point in time requirements towards a continuous process of compliance and risk management is to me perhaps the biggest theme in this new version. Recognizing that you can’t just say that you were PCI compliant one day and not the next because a breach occurred is a step in the right direction.
Of course if you are new to PCI or up to this point have only been doing the minimum to meet the requirements, PCI 3.0 may represent a wakeup call to you and your organization. Frankly though if this is what it takes to make your organization take security and risk management seriously, it is not a bad thing.
Another thing that I see with the new DSS is that it would seem that for Level 1 merchants and even larger Level 2 merchants, it will require more hands on PCI expertise from consultants or PCI experts. Could be a case of job security built in.
The PCI Council has put out a PDF noting some of the key changes in the new requirements. You can access it at: https://www.pcisecuritystandards.org/documents/DSS_and_PA-DSS_Change_Highlights.pdf. In the meantime January and June 2014 will be here before you know it. You should start brushing up on the new requirements for PCI 3.0 to make sure your organization does not start out behind the eight ball on this.
One other piece of good news is that with the new cycles, there won’t be another revision to the PCI DSS for a couple of years after this. Long enough to get your head wrapped around this one. Good Luck!
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don't necessarily represent IBM's positions, strategies or opinions