Your payment card data = cash for thieves
Payment card data remains one of the easiest types of data for criminals to convert to cash — 74 percent of attacks on retail, accommodation and food services companies target payment card information, according to the Verizon 2014 PCI Compliance Report.
According to the Verizon report, there is an initial dip in compliance whenever a major update to the Payment Card Industry (PCI) Data Security Standard (DSS) is released. Organizations that are breached tend to be less compliant with PCI DSS than the average in Verizon’s research. Organizations should put in the effort now to prepare for compliance with PCI DSS 3.0, which companies are required to have in place before the Jan. 1, 2015 deadline. In 2013, the global cost of card fraud rose to $11 billion from $3 billion in 2000, according to The Nilson Report.
PCI DSS is a globally recognized compliance standard that all organizations, including merchants and service providers, must follow whenever storing, processing and transmitting credit card information. Version 1.0 of the standard was released in December 2004 and was most recently updated to version 3.0 in November 2013. In 2013, only 11.1 percent of companies complied fully with DSS 2.0. PCI DSS 3.0 comprises 12 high-level requirements, and contained in these are well over 200 sub-requirements pertaining to managing the security of people, processes and technologies. The challenge for most companies is in applying this complex standard to existing environments and understanding the intent of each control. As PCI DSS qualified security assessors (QSAs), Brown Smith Wallace is often engaged to provide PCI Advisory Services to help clients become compliant. The firm has worked with clients in multiple industries, including retail, not-for-profit, service, transportation and education, to help them reach their PCI DSS 3.0 compliance goals.
Here are five tips for managing PCI compliance in any organization:
- Focus on Scoping: Utilize network segmentation or other strategies to help limit or reduce the scope of the PCI DSS 3.0 requirements.
- Reduce Costs: Additional scope-reducing techniques are often recommended, such as tokenization and outsourcing, which further help to reduce the cost and complexity of correctly implementing PCI DSS 3.0.
- Make It a Team Effort: Compliance needs to be a part of everybody’s job — from executives and the IT security team to staff and administrators.
- Think of Compliance Year-Round: In order to be effective, compliance must be an ongoing effort and worked into a wider risk management strategy.
- Leverage Compliance as an Opportunity: Take a fresh look at systems and reevaluate the processes that affect your business.
Organizations should reevaluate their existing controls to ensure they meet the PCI DSS 3.0 intent and definition changes.
Click here to request a copy of the key new requirements added to PCI DSS 3.0.
Schedule a meeting with Michael Springer, CISSP, GPEN, CEH, QSA, to discus PCI compliance in your organization.