January 1, 2014, was the launch date set by the Payment Card Industry Security Standards Council for the introduction of its new and updated PCI 3.0 retail operation and security procedure standards. The new standard comes on the heels of the Target data breach announced in late November 2013.
Based on input from its global partners and industry leaders, the Council's newest guideline objectives focus on raising awareness within organizations concerning the responsibilities of increased security and shared awareness for both management and employees. The motivating message for retail organizations is to assess, refine, revise where necessary to meet compliance codes, and then enforce PCI security best practices contained in the new standards as an ongoing key part of running a business.
There's a steep price to be paid for PCI noncompliance, the following data highlights the details very clearly. The financial costs and expenses of a data breach can be quite high:
According to the 2010 Annual Study: US Cost of a Data Breach conducted by the Ponemon Institute, the average cost of a data breach in 2010 was $7.2 million. Although each breach
has its own set of unique factors, the financial impact is fairly consistent across each of them.
Of particular note to CimTrak users is section 11.5.1 of the new code, which calls for the implementation of a process to respond to any alerts that might be generated by the change detection mechanism (file integrity monitoring). It is important for IT security personnel to verify that all of the alerts are investigated and resolved. Critical files generally do not change, but if modified, can indicate a system compromise. Many breaches occur when alerts from security tools (such as file integrity monitoring systems) are not investigated. Auditors will now verify that a process for responding to alerts is in place.
Other recommendations call for the following:
-
Each guideline requirement should have a specific security policy along with operating procedures
-
There should be corporate guidelines for all of the standard PCI requirements
-
Stricter security requirements for the validation of segmentation and increased penetration testing
-
Guidelines for added flexibility and education for greater password strength and complexity
-
Important new requirements for increased security at point-of-sale terminals
These updated guidelines will hopefully help to reduce the unique risks related to payment card environments.
