The average cost of a data breach is now $3.8 million. Organizations who fall prey to cybercrime attacks can face steep penalties, fines, cleanup costs, and mass customer defection due to a loss of public image. PCI compliance has never mattered more than it does today, especially in an era of increased information security threats such as zero-day malware.
CSO Online recently wrote that preventing data breaches is a "business problem." In other words, IT must collaborate with business units to establish regulatory compliance and reduce risk to an acceptable level. In this blog, you'll learn about some recent updates to payment card industry data security standard (PCI-DSS) guidelines, and what's next for compliance.
PCI Compliance Requirements
Verizon Research indicates that compliance with PCI is improving, but 80% of companies "fail at interim assessment." While this represents a nearly 9% improvement over the 2014 study, there is vast room for better compliance at organizations of all sizes.
The information threat landscape isn't getting simpler. Consumers have also become more savvy to privacy and protection issues. 69% of consumers would be less inclined to do business with a breached organization, due to a fear of repeated issues.
Organizations are putting an increased focus on compliance. This can entail better technologies for file integrity monitoring and other required measures and improved processes to support information security governance. In many cases, companies are choosing to enlist expert external auditors to manage vulnerabilities in complex networks.
What Are Important Components of Managing PCI Risk?
According to the Verizon study, over the course of ten years, zero organizations were found to be fully compliant with all PCI requirements at the time of an initial assessment. While PCI requirements and risks can vary according to organizational size and the volume of card transactions processed, Verizon research reports the following components are crucial to mitigating security risk:
- Monitoring, patching, and logging
- Comprehensive information security governance
- Effective access controls and user identification
- Firewalls and other forms of "perimeter" security
- Protection against malware injections and other forms of attack
- Encryption for stored card data
- Regular penetration testing and assessment
PCI-DSS v3.0: What You Need to Know
If your business completed an assessment and report on compliance (RoC) between January and June of 2015, an assessment in the first half of 2016 will require you to validate compliance with PCI-DSS v3.0 which became effective July 1, 2015. The requirements new to PCI-DSS v3.0 include:
- 6.5.10 – Coding practices to protect against broken authentication and session management.
- 8.5.1 – Service providers with remote access are now required to use unique authentication credentials.
- 9.9.x – Devices that directly capture payment card data must be protected from tampering and substitution.
- 11.3 – Implementation of a methodology for penetration testing.
- 12.9 – Service providers must give a written agreement or acknowledgement to customers.
PCI-DSS v3.1 to v3.2: What You Need to Know
This update to PCI-DSS v3.0, released in April 2015, provided clarification on certain guidelines. Timelines for compliance are the same as PCI-DSS v3.0. Compliance validation is in effect for all organizations completing a RoC on any date on or after July 1, 2018. The PCI SSC extended the migration completion date for the requirements in this update to June 3, 2018. After June 30, 2018 (previously 2016), merchants are no longer allowed to use SSL or early TLS to protect payment information.
Exceptions are made for merchants using early SSL or TLS who can prove they are not susceptible to known vulnerabilities in these technologies. However, for the vast majority of organizations relying on SSL or early TLS, an update could prove beneficial to risk mitigation.
What's Next for PCI?
Updates to PCI requirements represent the state-of-the-art for information security. PCI guidelines and recommendations are typically developed in direct response to emerging threats and patterns of vulnerability among merchants.
Organizations should take steps to immediately adopt recommendations for PCI compliance, even if they are not due for an assessment in the near future. PCI isn't an annual goal, but a set of best practices to be implemented on a daily basis. By viewing compliance as a business-wide effort, organizations can significantly reduce their vulnerabilities.
For more information on how Cimcor can help organizations exceed PCI recommendations for file integrity monitoring, click here.
April 5, 2016