PCI version 2 on its way.

July 15th, 2010 by Bob Munson

 

The Payment Card industry (PCI) Security Standards Council (PCI-SCC) has announced the next issue of its Data Security standard (PCI-DSS) is going to be version 2. Previously we have only had minor revisions 1.0 to 1.1 & 1.2 so moving up to V2.0 seems like a big step.

 

The PCI-SCC have a clearly defined 5 stage Lifecycle Process for Changes to PCI DSS.  We are currently in Stage 4: "New Version / Revision and Final Review" which will take us up to the end of August. On 30th September the council will discuss the new version and its release is expected to be the 28th October.

Once released, the new standard becomes effective immediately though there will be a grace period of at least 3 months to comply with any requirements. In practice this is normally extended but is in place in case of any urgent security changes.

 

Should I wait for the new standard before starting my compliance process?

NO! Any new standard is going to be stricter than the current one. If you don't comply now, you are going to be further away when the new standard is released.

What some people don't realise is that PCI-DSS isn't an audit to get through but a process that should be continually followed and reviewed. Hackers and thieves don't just try a preset approach, they continually adapt, looking for new ways to make a fast buck. We need to keep one step ahead, responding to new threats and making sure it isn't our 'buck' they are taking.

Where is the budget coming from to fund this PCI investment?

This is a question I usually turn on its head.

 

What would it cost your company reputation if it got out that cardholder information had been leaked?  How much would it affect the stock market value? How many sales would be lost to your competitors?  Then add on how much the credit card companies would fine you for the breach.

 

Even if there is not a breach, the payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream till it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees.  Penalties are not openly discussed nor widely publicised, but they can catastrophic.

 

Now can you afford not to fund PCI investment?

 

 

EQALIS will be upgrading their Splunk PCI app to meet the requirements of the new standard and can be contacted about any of the topics discussed here.

 

Tags: Pci, Compliance, Splunk, Eqalis, App

Posted in Splunk | 1 Comment