As the New Year begins, everyone is looking to learn more about upcoming 2014 technology and security trends. Experian’s 2014 Data Breach Industry Forecast predicts that new security threats and transparency regulations will make 2014 a “critical year” for data breaches and warns organizations that they need to be better prepared.
Getting serious about PCI compliance
Accepting credit and debit cards is a fact of life at organizations worldwide. Hand-in-hand with card acceptance comes the responsibility to safeguard and protect all transaction and consumer data. For organizations with credit card transaction processing requirements, one of the ways you can prepare is by taking the PCI compliance of your business more seriously. Often times, organizations see PCI compliance as just another industry buzzword or opportunity for another hidden fee, but the reality is that the security of your business is at stake.
As the data landscape of our technology world grows more and more complex, it becomes even more critical to safeguard data from potential breaches. The consumerization of IT, virtualization, and the cloud all offer significant productivity and cost benefits to businesses. But in trying to be responsive to a corporate sense of urgency around the “latest, greatest” technologies, it is also important to be sure that security plans are vetted and up to date so they are the best fit for your organization’s processes and technology. The cycle of compliance does not stop after the initial efforts of achieving compliance. In fact, there is no “after” when it comes to being in compliance, it is not a project that comes to an end.
The difference between security and compliance
The terms “security” and “compliance” are often used interchangeably. In fact, while you can ensure compliance by remaining secure, you cannot necessarily state your network is “secure” simply because it complies with certain rules and regulations. Many organizations, including some of the world’s prominent enterprises, have faced IT security breaches and compromises despite remaining fully compliant with numerous regulations. As organizations embrace new technologies, new threats emerge as well. So, it becomes even more critical for security to be regarded as an ongoing activity that requires constant attention.
An action plan for PCI 3.0 compliance
PCI DSS Version 3.0 became effective on January 1, 2014, and businesses have one year to apply it. Some of the changes are future requirements that are classified as merely best practices until July 1, 2015. When it comes to data security and PCI compliance, a pro-active approach can help save you time, money and possibly, your reputation. Here is an action plan to help you get started with making security business as usual and getting a lead on PCI 3.0 Compliance:
1. Adopt a data-centric approach to security, risk and compliance
2. Understand cardholder data, scoping and compensating controls
3. Identify cardholder data locations and look for ways to “modify” data so it becomes “non-PCI” data. (Tokenization, truncation, etc.)
4. Consolidate cardholder data and employ segmentation to reduce the PCI DSS “footprint”
5. Focus on policies, processes, and management of security
6. Follow the PCI DSS from a logical and not sequential perspective
7. Understand the intent of the requirements and when a specific requirement cannot be directly addressed, consider compensating controls
As you consider the implications of PCI DSS Version 3.0 on your business, keep in mind to not only navigate the complex requirements of PCI compliance, but to do so with an eye towards improving your overall security posture.
In light of recent high profile data breaches, you may be asking: “How do I prevent this from happening? Where do I look to lower risk of data compromise?” The best way to lower the risk of a successful compromise is to live PCI compliance and security best practices every day. With the right approach, your organization will remain secure—and prosperous.
For additional insight, please view our on-demand webinar PCI 3.0 is Here: Are You Prepared?
If you have questions or comments about security and PCI compliance, leave them in comments — I’ll do my best to answer them.