Aah, do I have to?

Purposeful View: PCI DSS 2.0 Compliance (by Walt Lapinsky, 26 May 2011)


Late in 2010 the Payment Card Industry (PCI) Security Standards Council announced version 2.0 of the PCI Data Security Standard (DSS) and the Payment Application (PA) DSS. The PCI DSS is the worldwide information security standard for organizations that handle cardholder information for debit, credit, prepaid, e-purse, ATM and POS cards. The sole purpose of these standards is to reduce credit card fraud due to the exposure of the sensitive information necessary to commit that fraud. Based on the volume of such transactions, organizations must have an annual audit by an external Qualified Security Assessor or by a Self-Assessment Questionnaire.

The changes in 2.0 come under several categories, including:

  • Clarification and additional guidance.
    This set of over 100 changes includes better definitions, clarifications of scope and processes, or simply to eliminate some redundancy in the specification. We suspect that in many cases, organizations will have little impact from most of these changes, but they should all be carefully reviewed.
  • Risk Based Approach.
    Update to allow vulnerabilities to be ranked and prioritized according to risk. This is an evolving area of the standard that we expect will see significant changes in future versions. We also believe it is critical that organizations take this risk-based approach in order to concentrate their efforts on those areas that provide the most benefit. If a vulnerability has low risk but high cost to correct and you can appropriately document that low risk level, you may be able to be compliant without “fixing” the risk or through the use of compensating controls. Certainly, all high-risk vulnerabilities must be addressed.
  • Emerging Threats.
    Changes to ensure that the standard is keeping up with emerging threats and changes in the market.
  • Virtualization.
    Update the “one primary function per server” requirement.

All audits after 1 January 2012 must be done against the PCI DSS 2.0 standard.

Some companies with low volumes, and therefore low fines for non-compliance, feel it is better to be fined than to be compliant. While it is true that the fines can be substantially less than the cost of becoming compliant, the real risk to the company is not the cost of the fines but the cost of a data breach. According to the Ponemon Institute, on average it costs a company over $200 for each lost record in direct and indirect costs. Over 80% of the records stolen through data breaches are stolen by organized criminal groups. They are very good, and they take everything they can get, and they use that data to commit fraud. Since the time between when your systems are compromised by an attack and you stop the attack is usually measured in weeks or months, when you are attacked you are likely to lose lots of records.

The US Secret Service / Verizon RISK Team “2010 Data Breach Report” noted that 79% of companies covered by PCI-DSS that had data breaches in 2010 were not compliant. However, that means that 21% of those data breaches were to companies that were compliant. Based on conversations with lawyers on both sides of data breach cases, you are a whole lot better off if you were compliant.

Our view: yes, you have to. And, yes, you should. We believe PCI compliance should become a business imperative, not just an IT imperative.

Comments? Questions? Contrary views? Some event we missed?
We welcome your feedback at talk@purposefulclouds.com

Purposeful Clouds helps companies assess and plan their best options for Cloud technology adoption, with before-the-fact consideration of contingencies, ROI, and further migration strategies. To discuss how we would be able to help you make the best decisions, contact us at info@purposefulclouds.com.

Download the View.