Purposeful View: PCI DSS 2.0 Compliance (by Walt Lapinsky, 26 May 2011)
Late in 2010 the Payment Card Industry (PCI) Security Standards Council announced version 2.0 of the PCI Data Security Standard (DSS) and the Payment Application (PA) DSS. The PCI DSS is the worldwide information security standard for organizations that handle cardholder information for debit, credit, prepaid, e-purse, ATM and POS cards. The sole purpose of these standards is to reduce credit card fraud due to the exposure of the sensitive information necessary to commit that fraud. Based on the volume of such transactions, organizations must have an annual audit by an external Qualified Security Assessor or by a Self-Assessment Questionnaire.
The changes in 2.0 come under several categories, including:
All audits after 1 January 2012 must be done against the PCI DSS 2.0 standard.
Some companies with low volumes, and therefore low fines for non-compliance, feel it is better to be fined than to be compliant. While it is true that the fines can be substantially less than the cost of becoming compliant, the real risk to the company is not the cost of the fines but the cost of a data breach. According to the Ponemon Institute, on average it costs a company over $200 for each lost record in direct and indirect costs. Over 80% of the records stolen through data breaches are stolen by organized criminal groups. They are very good, and they take everything they can get, and they use that data to commit fraud. Since the time between when your systems are compromised by an attack and you stop the attack is usually measured in weeks or months, when you are attacked you are likely to lose lots of records.
The US Secret Service / Verizon RISK Team “2010 Data Breach Report” noted that 79% of companies covered by PCI-DSS that had data breaches in 2010 were not compliant. However, that means that 21% of those data breaches were to companies that were compliant. Based on conversations with lawyers on both sides of data breach cases, you are a whole lot better off if you were compliant.
Our view: yes, you have to. And, yes, you should. We believe PCI compliance should become a business imperative, not just an IT imperative.
Purposeful Clouds helps companies assess and plan their best options for Cloud technology adoption, with before-the-fact consideration of contingencies, ROI, and further migration strategies. To discuss how we would be able to help you make the best decisions, contact us at email@example.com.